Professional Documents
Culture Documents
Interactive Locking, Zero-Knowledge PCPS, and Unconditional Cryptography
Interactive Locking, Zero-Knowledge PCPS, and Unconditional Cryptography
Yuval Ishai
Mohammad Mahmoody
Amit Sahai
Technion and UCLA, yuvali@cs.technion.ac.il. Supported in part by ISF grant 1310/06, BSF grants 2004361,
2008411, and NSF grants 0716835, 0716389, 0830803, 0916574.
UCLA, sahai@cs.ucla.edu.
1 Introduction
What is the minimal amount of trust required for unconditionally secure cryptography? Uncon-
ditional cryptography can be based on trusted two-party functionalities such as oblivious trans-
fer [Rab81, Kil88] or noisy channels [CK88], on bounded storage assumptions [Mau92], on the
presence of an honest majority [BGW88, CCD88, RB89], or even on the presence of a dishonest
majority of non-communicating parties [BGKW88]. More recently, there has been a considerable
amount of work on cryptographic protocols in which parties can generate and exchange tamper-
proof hardware tokens. In this model it was shown that unconditionally secure commitments [MS08]
or even general secure two-party computation [GIS
+
10] are possible, provided that the tokens can
be stateful. In particular, stateful tokens can erase their secrets after being invoked. The present
work is motivated by the goal of establishing unconditional feasibility results for cryptography us-
ing stateless hardware tokens. This question turns out to be related to the classical question of
unconditional multi-prover zero-knowledge proofs, which we revisit in this work. We start with
some relevant background.
1.1 Multi-Prover Zero-Knowledge
Since the introduction of zero-knowledge proofs in the seminal work of Goldwasser, Micali, and
Racko [GMR89], a large body of work has been devoted to understanding the capabilities and
limitations of such proofs. A particularly successful line of research studied the power of statis-
tical zero-knowledge (SZK) proofs ones which guarantee that even computationally unbounded
veriers can learn nothing from the interaction with the prover. In contrast to computational zero-
knowledge proofs [GMW91], a major limitation of SZK proofs which restricts their usefulness in
cryptography is that they seem unlikely to cover the entire class of NP [For89, AH91]. The related
goal of obtaining any kind of unconditional zero-knowledge proofs for NP, which do not rely on
unproven intractability assumptions, seems as unlikely to be achieved (cf. [OW93]) at least until
the elusive P vs. NP question is resolved.
Motivated by the above goals, Ben-Or, Goldwasser, Kilian, and Wigderson [BGKW88] intro-
duced in 1988 the model of multi-prover interactive proofs (MIPs), a natural extension of the
standard model of interactive proofs which allows the verier to interact with two or more non-
communicating provers. The main result of [BGKW88] is an unconditional two-prover SZK proof
for any language in NP (see [LS95, BFL90, DFK
+
92] for subsequent improvements). A direct
cryptographic application suggested in [BGKW88] is that of proving ones identity using a pair of
bank cards. We will further discuss these types of applications later.
In a very surprising turn of events, the initial work on zero-knowledge in the MIP model led to
a rapid sequence of developments that have literally transformed the theory of computer science.
This line of research culminated in the rst proof of the PCP Theorem [AS98, ALM
+
98].
The notion of probabilistically checkable proofs (PCPs) is very relevant to our work. In 1988,
Fortnow, Rompel, and Sipser [FRS88] suggested an alternative model for MIPs in which multiple
provers are replaced by a single oracle, subsequently called a PCP oracle or just a PCP. The
dierence between an oracle and a prover is that an oracle, like a classical proof, cannot keep an
internal state. When a prover is asked multiple queries, the answer to each query can depend on all
previous queries, whereas the answer of an oracle to each query must depend on that query alone.
The latter dierence makes soundness against PCP oracles easier to achieve than soundness against
provers, which explains the extra power of PCPs over traditional interactive proofs. However,
1
as already observed in [BGKW88], the zero-knowledge property becomes harder to achieve when
converting provers into oracles because oracles have no control over the number of queries made by
a dishonest verier. In particular, if the verier may query the entire domain of the oracle (as in
the case of traditional polynomial-length PCPs) then the oracle can no longer hide any secrets.
The question of replacing zero-knowledge provers by stateless oracles is motivated by practical
scenarios in which veriers can reset provers to their initial state, say by cutting o their power
supply. (Note that similarly to zero-knowledge provers, zero-knowledge PCP oracles should be
randomized in the sense that their answer depends both on the query and on a secret source of
randomness which is picked once and for all when the oracle is initialized.) This motivation led
to a recent line of work on resettable zero-knowledge, initiated by Canetti, Goldreich, Goldwasser,
and Micali [CGGM00]. The main results from [CGGM00] show that, under standard cryptographic
assumptions, there exist resettable (computational) zero-knowledge proofs for NP. However, results
along this line do not seem relevant to the case of unconditional (and statistical) zero-knowledge
proofs, which are the focus of the present work.
Zero-knowledge PCPs. The question of unconditional zero-knowledge PCPs was studied by
Kilian, Petrank and Tardos [KPT97] (improving over previous results implicit in [DFK
+
92]). Specif-
ically, it is shown in [KPT97] that any language in NEXP admits a proof system with a single
PCP which is statistical zero-knowledge against veriers that can make any polynomial number
of PCP queries (but are otherwise computationally unbounded). However, as expected from proof
systems for NEXP, the answers of the PCP oracle cannot be computed in polynomial time. This
still leaves hope for scaling down the result to NP and making the PCP oracle ecient given an
NP witness. Unfortunately, such a scaled down version presented in [KPT97] has the undesirable
side eect of scaling down the zero-knowledge property as well, eectively restricting the number
of queries made by a cheating verier to be much smaller than the (xed polynomial) entropy of
the oracle. Thus, compared to typical feasibility results in cryptography, the results of [KPT97] for
NP require us to either make an unreasonable assumption about the computational capability of
the (stateless) prover, or to make an unreasonable assumption about the limitations of a cheating
verier.
Interactive PCPs. The above state of aairs motivates us to consider the Interactive PCP
(IPCP) model, which was recently put forward by Kalai and Raz [KR08] and further studied
in [GKR08b]. This model can be seen as lying in between the pure PCP model and the pure MIP
model, thus aiding us in our quest for a minimal model for ecient unconditional zero-knowledge
proofs for NP. In the IPCP model there is one interactive prover as in the MIP model and one
PCP as in the PCP model. The study of IPCPs in [KR08] was motivated by the eciency goal of
allowing shorter PCPs for certain NP languages than in the traditional PCP model, at the price of
a small amount of interaction with a prover. In contrast, our use of the IPCP model is motivated by
the feasibility goal of obtaining unconditional zero-knowledge proofs for NP with polynomial-time
prover and PCP oracle. Another dierence is that while in the context of [KR08] a PCP is at least
as helpful as a prover, the zero-knowledge property we consider is harder to satisfy with a PCP
oracle than with a prover (as discussed above). The IPCP model can be made strictly stronger
than the MIP model by requiring soundness to hold also with respect to stateful PCP oracles. We
tackle this stronger variant as well, but we stick to the basic IPCP model by default.
To meaningfully capture zero-knowledge proofs with polynomial-time provers in the IPCP
2
model, we extend the original IPCP model from [KR08] in two natural ways. First, we allow
the PCP to be randomized. Concretely, we assume that both the prover and the PCP are imple-
mented by polynomial-time algorithms with three common inputs: an instance x, a witness w, and
a random input r. (This is analogous to earlier models for ecient multi-prover zero-knowledge
proofs for NP.) The length of both w and r is polynomial in [x[. Second, as discussed above, in
order to allow the PCP oracle to hide secrets from the verier we need to use PCP oracles with a
super-polynomial query domain, and we restrict cheating veriers to make (an arbitrary) polyno-
mial number of queries to the oracle, but otherwise allow them to be computationally unbounded.
Note, however, that in contrast to the solutions from [KPT97] we cannot use PCP oracles with a
super-polynomial entropy since we want our PCP to be eciently implementable.
This gives rise to the following feasibility question:
Are there (ecient-prover) statistical zero-knowledge proofs for NP in the interactive
PCP model?
1.2 Our Results
We answer the above question armatively, presenting an unconditional SZK proof for NP in the
interactive PCP model with ecient prover and PCP oracle. Zero-knowledge holds against cheating
veriers which can make any polynomial (in fact, even sub-exponential) number of PCP queries,
but are otherwise computationally unbounded. Our protocol can be implemented in a constant
number of rounds. We also show how to get a similar protocol (with a non-constant number of
rounds) in the stronger variant of the IPCP model in which a cheating PCP oracle may be stateful,
thus strengthening the previous feasibility result from [BGKW88].
Interactive locking. The main technical tool we use to obtain the above results (as well as
additional applications discussed below) is a new primitive which we call an interactive locking
scheme (ILS). This primitive extends in a natural way the notion of non-interactive locking schemes
which were dened and implemented in [KPT97]. The original locking primitive can be viewed as
a PCP-based implementation of a non-interactive commitment with statistical hiding and binding.
Roughly speaking, a locking scheme is an oracle which hides a secret that can later be revealed to
the receiver by sending it a decommitment key. Given access to the oracle alone, it is hard for the
receiver to learn anything about the secret. However, it is easy for the receiver to become convinced
that at most one secret can be successfully decommitted even when the oracle is badly formed.
The locking scheme from [KPT97] requires the oracle to have bigger entropy than the number
of queries against which the hiding property should hold. We prove the intuitive fact that such
a limitation is inherent, and therefore there is no ecient-oracle non-interactive locking scheme
which resists an arbitrary polynomial number of queries. This is because intuitively if the entropy
of the oracle is bounded, then either: (1) the receiver is able to learn all the entropy by making a
polynomial number of queries, and therefore break the hiding property; or (2) if some entropy is
hidden no matter what queries the receiver makes, then a cheating sender is able to create a fake
oracle that can cheat on this entropy and therefore be opened to any value, breaking the binding
property.
This motivates our notion of an interactive locking scheme. An ILS is a locking scheme in the
IPCP model: the commitment phase can involve, in addition to oracle queries by the receiver,
interaction with the sender from whom the secret originated. Here the sender and the oracle play
3
the roles of the prover and PCP oracle in the IPCP model, respectively. Decommitment still
involves a single message from the sender to the receiver. Somewhat surprisingly (and counter to
our own initial intuition), we show that interaction can be used to disrupt the intuitive argument
above.
We present several constructions of ecient interactive locking schemes. We show how to obtain
such schemes from interactive hashing a primitive which was introduced by Naor, Ostrovsky,
Venkatesan, and Yung [NOVY98] for the purpose of constructing statistically hiding and computa-
tionally binding commitment schemes from any one-way permutation (see also [OVY93a, DHRS04,
HR07]). The high level idea of the transformation from interactive hashing to ILS is to imple-
ment a one-way permutation by an oracle which contains a random point function (i.e., a function
that outputs 0 on all but one random point). To ensure the binding property even when the oracle
is badly formed, the receiver should query the oracle on a small number random points to verify
that it is not too far from a point function. The (black-box) proof of security of the interactive
hashing protocol implies (unconditional) proof of security for the ILS.
The above connection allows us to use interactive hashing protocols from the literature for
obtaining interactive locking schemes, but leaves open the question of minimizing the amount of
interaction with the sender. We resolve this question by presenting a novel direct construction of
ILS which requires only a single round of interaction with the sender.
The high level idea behind our single round ILS is as follows. The oracle constructed by the
sender will be the zero function over 0, 1
n
except for an interval of size 2
cn
. That is, (x) = 1
for a x a + 2
cn
and (x) = 0 elsewhere. Depending on whether the sender commits to zero
or one, the interval will be planted in the rst or second half of the oracle . The position a of
the interval will be revealed to the receiver in the decommitment phase. When c < 1, the interval
size 2
cn
will be small enough to prevent the receiver from nding the committed bit during the
commitment phase. But now the sender is able to cheat by planting intervals in both the rst
and second half of . To guarantee binding, we let the receiver ask a challenge question about
the interval in such a way that the sender cannot nd a pair of planted intervals in the rst and
second half of with the same challenge answer. A natural idea is to use a pairwise independent
function h: 0, 1
n
0, 1
dn
and ask the sender to reveal h(a). The sender is able to plant at
most 2
(1c)n
separate intervals in each half of . Each of the intervals in the rst and second half
of will have the same hashes with probability 2
dn
. Therefore if 2(1 c) < d, then with high
probability over the choice of h the sender is not able to nd two intervals with the same hash
value h(a) and thus gets committed to a xed bit. But now the information revealed by h(a) might
help the receiver nd a non-zero point in and break the hiding property. We show how to modify
the a known construction of pairwise independent hash functions to get another function which is
still almost pairwise independent but has the additional property that the preimages of any hash
value are scattered in the domain of the hash function. The latter property prevents the receiver
from taking advantage of the knowledge of h(a) to nd where the interval is planted. Using this
approach we simultaneously guarantee binding and hiding.
Cryptography using hardware tokens. The above study of zero-knowledge interactive PCPs
and interactive locking schemes is motivated by a recent line of research on the capabilities of
cryptographic protocols in which parties can generate tamper-proof hardware tokens and send them
to each other. Katz [Kat07] shows that, under computational assumptions, general universally
composable (UC) secure two-party computation [Can01] is possible in this model if the tokens
4
are allowed to be stateful, and in particular can erase their secrets after being invoked. It was
subsequently shown that even unconditional security is possible in this model, rst for the case
of commitment [MS08] and then for general tasks [GIS
+
10]. See [GO96, GKR08a, HL08] and
references therein for other applications of stateful tokens in cryptography.
Obtaining similar results using stateless tokens turns out to be more challenging. Part of the
diculty stems from the fact that there is no guarantee on the functionality of tokens generated
by malicious parties they may compute arbitrary functions of their inputs and may even carry
state information from one invocation to another. It was recently shown in [GIS
+
10], improving
on [CGS08], that any one-way function can be used for basing (computationally) UC-secure two-
party computation on stateless tokens. More practical protocols which satisfy weaker notions
of security were given in [Kol10]. These works leave open the question of obtaining a similar
result unconditionally, and with statistical security. (To get around impossibility results in the
plain model, the number of queries to a token should be polynomially bounded, but otherwise
malicious parties may be computationally unbounded.) In fact, the constructions from [CGS08,
GIS
+
10, Kol10] may lead to a natural conjecture that achieving statistical security in this setting
is impossible, since in these constructions all the useful information contained in tokens can be
learned by a computationally unbounded adversary using a polynomial number of queries.
However, similar to the case of ILS discussed above, the combination of stateless tokens and
interaction turns out to be surprisingly powerful. As already alluded to in [BGKW88], MIP proto-
cols can naturally give rise to protocols in the hardware token model. In our case, we implement
the ILS (or IPCP) by having a single sender (prover) create a stateless tamper-proof hardware
token which implements the PCP oracle and send it to the receiver (verier). Applying this to our
results, this directly gives rise to the rst unconditionally secure commitment protocols and SZK
proofs for NP using stateless tokens.
We show how this can be extended to general unconditionally secure (in fact, UC-secure) two-
party computation if parties are allowed to build tokens which encapsulate other tokens: namely,
the receiver of a token A is allowed to build another token B which internally invokes A. The
high level idea is the following. By the completeness of oblivious transfer (OT) [Kil88, IPS08], it
suces to realize OT using stateless tokens. This is done as follows. The OT senders input is a
pair of strings (s
0
, s
1
) and the OT receivers input is a selection bit b. The OT receiver commits
b using an ILS. Applying our best construction, this involves sending a token A to the OT sender
and responding to a random challenge message received from the OT sender. The OT sender now
prepares and sends to the receiver a token B with the following functionality. Token B accepts a
selection bit b along with a corresponding decommitment message. It checks that the decommitment
is valid (this involves invocations of the token A, which token B encapsulates) and then returns
the string s
b
if decommitment was successful. The binding property of the ILS guarantees that the
OT receiver can learn at most one string s
b
. The hiding property of the ILS guarantees that the
sender cannot learn b.
Interestingly, we also show a matching negative result: if token encapsulation is not allowed,
then statistically secure OT is impossible. This holds even if both parties are guaranteed to follow
the protocol except for making additional queries to tokens in order to learn information about the
other partys input. The proof of this negative result employs the recent notion of accessible entropy
from [HRVW09] and has the following high level intuition. One way to explain why statistical OT is
not possible in the standard model (i.e., without tokens) is that at any time during the interaction
a computationally unbounded party (e.g., the OT receiver R) is able to sample from the space of
5
its randomness r
R
conditioned on what the other party (i.e., the OT sender S) knows about Rs
computation. The latter information is captured by the transcript of the protocol. Therefore if at
the end of the interaction the distribution of r
R
conditioned on is not revealing the receivers bit
b, the receiver can sample from (r
R
[ ) and nd out both of the strings (s
0
, s
1
). If such sampling
is done eciently, the protocol is said to have accessible entropy [HRVW09]. In the token model,
however, the exchanged information is not symmetric and Bob might not know which queries Alice
has asked from Bobs tokens. Similarly to the standard model, we dene a protocol (A, B) in the
token model to have accessible entropy if the parties can (information theoretically) sample their
history of computation so far only conditioned on the other partys view. Similarly to the standard
model, accessing the entropy of a protocol for OT in the token model can be used to break its
security for the benet of either of the parties. We prove the following technical lemma: For any
protocol (A, B) in the stateless token model, there is another protocol (A
t
, B
t
) with the following
properties. (1) the parties in (A
t
, B
t
) emulate the original protocol (A, B). Namely A
t
honestly
runs an instance of A in its belly and similarly B
t
does so for an instance of B. (2) Other than
emulating (A, B), A
t
and B
t
are also allowed to learn more information about the tokens they
hold by asking token queries that might not be specied by (A, B). (3) (A
t
, B
t
) is still restricted
to asking at most poly(n) number of queries from the tokens totally. (4) Finally, almost all the
entropy of the interactive algorithms A
t
and B
t
in the protocol (A
t
, B
t
) is accessible. This lemma,
together with the necessity of inaccessible entropy for the possibility of OT, proves that statistical
OT does not exist in the stateless token world.
Organization. In Section 2, we dene the notions of zero-knowledge IPCPs and ILS, and show
how to use ILS to build unconditional zero-knowledge IPCPs for NP. We also show that interaction
is required for ecient ILS. In Section 3, we show how to construct ILS. In Section 6, we show
the implications of our work on (unconditionally secure) cryptography with tamper-proof hardware
tokens.
2 Preliminaries
2.1 Basics about Probabilities
By sup(X) we mean the support set of the random variable X. By x X we mean the process
of sampling x according to the distribution of the random variable X. By (X [ Y ) we denote the
random variable X conditioned on the random variable Y .
Denition 2.1. For the random variables X and Y dened over the set U (i.e. sup(X)
sup(Y )
U) we let SD(X, Y ) denote their statistical distance dened as: SD(X, Y ) = max
EU
[ Pr[X
E] Pr[Y E][. We also use X
j
B
j
. Then it holds
that Pr
X
[E[X] [ B] p.
2.2 Interactive Algorithms
We assume that the reader is familiar with the notion of interactive Turing Machines introduced
in [GMR89] which here we call interactive algorithms. An interactive protocol is dened by two
interactive algorithms A and B where each of A and B may have its own private input, private
random tape, and output. By 'A, B`(x) we denote the output of B when A and B interact on
the common input x. We take the output 1 to denote an accept and the output 0 to denote a
reject. When x is clear from the context we might omit it from the notation (e.g., letting 'A, B`
denote 'A, B`(x)).
By an ecient algorithm we mean one which runs in polynomial time over its input length.
We do not assume the interactive algorithms to be necessarily ecient unless explicitly mentioned.
We always let n denote the length of the input x which will also serve as the security parameter
when A and B are ecient.
A round consists of a message from A followed by another message from B assuming that A
starts the protocol. The round complexity of the protocol (A, B) is the maximum number of rounds
that A and B interact as a function of the input length n.
The view of an interactive algorithm consists of its input, its randomness and the answers
received from the other interactive algorithm participating in the protocol.
We use the notation
A to denote a possibly malicious interactive algorithm participating in a
protocol instead of the honest interactive algorithm A.
Although one of the main applications of the interactive protocols is to use them as a proof
system [GMR89], here we dene their basic properties in a more abstract level so that we can use
them in the next section in the extended model of Interactive PCPs.
Denition 2.4 (Properties of interactive protocols). Let (P, V ) be an interactive protocol com-
posed of a prover P and a verier V . We dene the following properties for (P, V ).
Soundness: (P, V ) is (1 )-sound for the input x, if for every prover
P it holds that
Pr['
P, V `(x) = 1] .
Statistical zero-knowledge (SZK): (P, V ) is (n)-SZK for the language L if there is a simu-
lator Sim that gets oracle access
1
to an arbitrary (unbounded) verier
V
produces a view for
V when inter-
acting with P on the input x. A query q
sim
= (r
V
, a
1
, . . . , a
i
) of the simulator Sim to the oracle
V
is the last query of Sim: (r
V
, a
1
, . . . , a
j
). It is easier to think of a
straight-line simulator as an interactive algorithm which simply interacts with the verier
V
and outputs the view of
V in this interaction.
Note that the soundness is only a property of the verier V while zero-knowledge is only a
property of the prover P.
Inecient veriers with large randomness. To prove the zero-knowledge for inecient ver-
iers
V with super-polynomially long randomness, we slightly change the simulators behavior
of Denition 2.4 as follows. We let the oracle
V to choose the randomness r
V
uniformly at
random (hidden from the simulator) and the simulators queries would only consist of provers
messages q
sim
= (a
1
, . . . , a
i
). Also the simulators output will be the last query of the simulator
q
sim
= (a
1
, . . . , a
j
) joint with the randomness r
V
chosen by the verier (and yet (r
V
, a
1
, . . . , a
j
)
should be -close to the view of
V when interacting with P). All of our simulators in this paper
will be of this form to let us handling arbitrarily inecient veriers.
Denition 2.5 (Composition of interactive protocols). Let (P
1
, V
1
), . . . , (P
k
, V
k
) be k interactive
protocols. By (P
seq
, V
seq
) we mean the sequential composition of (P
1
, V
1
), . . . , (P
k
, V
k
) dened as
follows.
Let x be the common input.
V
seq
uses independent random coins r
V
1
, . . . , r
V
k
for V
1
, . . . , V
k
and P
seq
uses independent coins
r
P
1
, . . . , r
P
k
for P
1
, . . . , P
k
.
P
seq
and V
seq
rst interact according to the protocol (P
1
, V
1
) over the input x, and after that
interact according to the protocol (P
2
, V
2
) (over the asme input x) and so on.
At the end V
seq
rejects if any of V
i
s reject.
By (P
par
, V
par
) we mean the parallel composition of (P
1
, V
1
), . . . , (P
k
, V
k
), which is dened sim-
ilar to (P
seq
, V
seq
) with the dierence that V
1
, . . . , V
k
interact with the prover P
par
in a round-
synchronized way. Namely in the jth round of the interaction, V
par
sends the queries q
j
1
, . . . , q
j
k
to
the prover P
par
where q
j
i
is the jth query of V
i
(and q
j
i
= if V
j
s interaction nishes before the
jth round). Then V
seq
receives k answers a
j
1
, . . . , a
j
k
and V
i
uses a
i
as its answer to continue its
execution.
2
2
To dene the parallel composition, we do not necessarily assume (P1, V1), . . . , (P
k
, V
k
) to have equal round com-
plexity, and the round complexity of (Ppar, Vpar) will be the maximum of the round complexity of (P1, V1), . . . , (P
k
, V
k
).
8
Both (P
seq
, V
seq
) and (P
par
, V
par
) are special cases of concurrent composition (P
con
, V
con
) in which
the verier runs V
1
, . . . , V
k
and the prover runs P
1
, . . . , P
k
in a way that V
i
will be interacting with
P
i
in the ith sessions. There is not any round synchronization enforced across dierent sessions.
The honest verier V
con
will send the next query q
j
i
(i.e. the jth query of V
i
) when she receives the
answer a
j1
i
from P
i
in the ith session, but a cheating verier
V
con
might delay sending such query
to gather more answers in dierent sessions before continuing. On the other hand the honest prover
P
con
will send the answer a
j
i
back whenever he receives the query q
j
i
from V
con
, but a cheating prover
P
con
might delay sending such answer to gather more queries in dierent sessions before continuing.
By using simple delay policies, both the prover and the verier (when the other party is hon-
est) are able to force a concurrent composition to behave like a parallel or sequential composition.
The inputs in composed protocols. In all variants of compositions dened above (including
the concurrent composition), the same input x is used in all the sub-protocols. More general
denitions of concurrent composition allow dierent inputs to be used in dierent instances of the
protocol, but our denition still generalizes the parallel and sequential denitions and is enough
for our purposes. Moreover, the properties of the concurrent composition described in Lemma 2.13
below (in particular the SZK property) hold in the more general form of concurrent composition
with dierent inputs (as long the inputs are xed at the beginning of the execution of the system.)
Lemma 2.6 (Properties of composition of interactive protocols). Let (P
1
, V
1
), . . . (P
k
, V
k
) be k in-
teractive protocols, and let (P
seq
, V
seq
), (P
par
, V
par
), (P
con
, V
con
) be, in order, their sequential, parallel,
and concurrent compositions. It holds that:
1. Soundness [BM88]: If (P
i
, V
i
) is (1
i
)-sound over the input x for all i [k], then
(P
con
, V
con
) (and in particular (P
seq
, V
seq
) and (P
par
, V
par
)) will have soundness 1
i
.
2. SZK [KLR06]: If (P
i
, V
i
) is
i
-SZK for the language L with a straight-line simulator for all
i [k], then (P
con
, V
con
) (and in particular (P
seq
, V
seq
) and (P
par
, V
seq
)) will be (
i
)-SZK
for L with a straight-line simulator.
Part 1 of Lemma 2.6 is proved in [BM88] for the case of parallel composition, but the proof
extends to the concurrent composition as well. The proof of Part 2 of Lemma 2.13 follows by a
standard hybrid argument similar to the proof of Part 2 in Lemma 2.17 below.
2.3 Oracle Algorithms
We use the standard notation A
1
1
, . . . , A
k
k
be k oracle algorithms
with access to k oracles
1
, . . . ,
k
where for all i [k] A
i
asks at most t rounds of oracle queries
from
i
. We dene A
par
par
the parallel composition of A
1
1
, . . . , A
k
k
as follows.
The oracle
par
= (
1
[ . . . [
k
) is the combined oracle of
1
, . . . ,
k
.
A
par
par
emulates A
1
1
, . . . , A
k
k
in parallel as follows. Let q be one of the queries of A
i
in its jth
round of queries to
i
. A
par
asks (i, q) from
par
in its jth round of queries and returns the
answer to A
i
.
A
par
par
rejects if any of the emulated algorithms A
1
1
, . . . , A
k
k
reject.
2.4 Interactive PCPs
Interactive PCPs (Denition 2.8 below) were rst introduced in [KR08] and combine the notion of
oracle algorithms with interactive algorithms. Similar to the previous section, here also we dene
IPCPs in a general way, not only for the purpose of a proof system, but rather as a model of
interaction consisting of interactive algorithms and a prover.
Denition 2.8. (Adapted from [KR08]) An interactive probabilistically checkable proof (IPCP)
= (P, , V ) consists of an interactive algorithm P (the prover), an oracle (the PCP oracle),
and an interactive algorithm V (the verier) such that:
P and share common randomness r
P
, and V is given the randomness r
V
.
P, , and V will be given an input x of length [x[ = n. P and may also receive a common
private input w.
3
The PCP oracle is a function of (r
P
, x, w, q) where q is a query of the verier V . Since
(r
P
, x, w) is xed at the beginning of the protocol, we might simply use (q) to denote the
answer to the query q.
P and V
engage in an interactive protocol during which V can query the PCP oracle and
at the end V accepts or rejects.
By an ecient IPCP we mean one in which the prover P, the PCP oracle , and the verier V
run in polynomial time over the input length [x[ = n.
Denition 2.9 (Properties of IPCPs). Let = (P, , V ) be an IPCP. We dene the following
properties for .
Soundness: is (1 )-sound for input x, if for every prover and oracle (
P, ) it holds that
Pr['
P, V
`(x) = 1] .
Adaptive-soundness: is (1 )-adaptively-sound for input x, if for every prover
P and
every stateful oracle it holds that Pr['
P, V
`(x) = 1] .
Statistical zero-knowledge (SZK): The SZK property is dened as an extension to the
SZK property of interactive protocols (Denition 2.4) with respect to a language L. Since all
of our simulators in this paper are straight-line, for sake of simplicity here we only describe
how to extend the denition to SZK of IPCPs for straight-line simulators.
3
For example when (P, ) are ecient and L NP, w could be a witness for x L.
10
The straight-line simulator interacts with a (potentially malicious) verier
V , while the
simulator Sim receives all the queries of the the verier (including both the queries asked
from the prover and from the oracle) and responds to them.
Since an unbounded verier can ask arbitrary number of queries from its oracle, here we
put a bound u on the number of oracle queries asked by
V . More formally we say that
is (u(n), (n))-SZK (with a straight-line simulator), if there is a simulator described as
above such that for any v u, if
V asks at most v oracle queries, then Sim runs in time
poly(n, v) and produces a view for
V which is -close to the view of
V when interacting
with (P, ).
Note that when u(n) is super-polynomial, Denition 2.10 implies the standard notion of zero-
knowledge against polynomial-time veriers.
Denition 2.10 (SZK-IPCP for languages). We say that = (P, , V ) is an SZK-IPCP for the
language L with SZK (u(n), (n)) and (adaptive) soundness 1 (n) if the following holds:
Completeness: If x L, then Pr['P, V
`(x) = 1] = 1.
(Adaptive) soundness: has (adaptive) soundness 1 if for all x L, the verier V is
(1 (n))-(adaptively)-sound. Namely for all provers
P and (stateful) oracles it holds that
Pr['
P, V
`(x) = 1] (n).
Statistical zero-knowledge (SZK): Dened according to the denition of SZK in Deni-
tion 2.9.
We simply call an SZK-IPCP for L with (adaptive) security u, if is (11/u)-(adaptively)-sound
and (u, 1/u)-SZK.
Round complexity of IPCPs. By the round complexity of an IPCP we mean the number of
rounds of interaction between the verier and the prover (and not the PCP oracle) where each
round consists of a message from the verier followed by a message from the prover. In particular,
the round i for the verier starts after the i 1th message of the prover is sent and ends when the
ith query of the verier to the prover is sent (which will be followed be a message from the prover).
Thus in each round the verier behaves like an oracle-algorithm. The reasons to only consider the
interaction with the prover as a factor in round complexity are as follows.
1. In our constructions of SZK-IPCPs, the number of rounds of oracle queries is either equal
to one (Theorem 3.1) or is bounded by the number of rounds of interaction with the prover
(Theorem 3.2). On the other hand our negative results (Part 2 of Theorem 4.1) is regardless
of number of rounds of oracle queries.
2. Regarding the application of IPCPs to the stateless hardware token model, the queries from
the PCP oracle are asked locally (as opposed to the queries from the prover which are sent
to a remote party). Therefore the number of rounds of interaction with the prover is a more
meaningful measure of the eciency of the system.
Let be an IPCP with j rounds. We can always decompose the veriers randomness into
r
V
= (r
1
V
, . . . , r
j
V
) so that for the rst i rounds only the rst i parts (r
1
V
, . . . , r
i
V
) are used by the
verier. A trivial decomposition is to let r
1
V
= r
V
and r
i
V
be the empty string for i 2, but that
might not be the natural decomposition of the randomness.
11
Denition 2.11 (Public-coin IPCPs). By a public-coin IPCP we mean an IPCP where the prover
gets to see the coin tosses of the verier all along the interactions. Namely the veriers randomness
is decomposable into r
V
= (r
1
V
, . . . , r
j
V
) such that r
i
V
is publicly reviled (to the prover) at the
beginning of round i and (r
1
V
, . . . , r
i
V
) is used by the verier in round i.
Comments about public-coin IPCPs.
As a mental experiment we can always assume that the whole randomness r
V
is chosen at
the beginning and it is only reviled part by part to the prover and is used by the verier.
Without loss of generality we can always assume that r
i
V
is the ith message of the verier
to the prover. That is because the prover knows the content of the oracle and thus can
determine the veriers query at the end of round i by only knowing (r
1
V
, . . . , r
i
V
). Despite
this fact, it might still be conceptually simpler to describe the veriers query in other ways.
Being public-coin is part of the denition of the model and it might change the soundness of
an IPCP. Namely, and IPCP might be 0.99-sound when considered as a (regular) IPCP over
an input, but only 0.01-sound when considered as public-coin IPCP.
When considering adaptive soundness (against stateful oracles), the public-coin IPCP model
is only as strong as a two-party (i.e. single prover) interactive protocol. The reason is that
the prover and the oracle both get full information about the veriers messages to both of
them and thus can play as a unied party. (For the same reason fully-public-coin multi-prover
proof systems are only a special case of single prover proof systems.)
Now we dene several forms of composition of IPCPs by extending the corresponding compo-
sitions of interactive algorithms (Denition 2.5) to the IPCP model. The new component in the
IPCP model compared to the model of interactive algorithms is the oracle. The oracle in all the
compositions of IPCPs discussed here is simply the combined oracle of the IPCPs being composed.
This way the ith emulated verier will ask its oracle queries from the ith oracle by adding a prex
i to its queries and asking them from the combined oracle.
Denition 2.12 (Composition of IPCPs). Let
1
= (P
1
,
1
, V
1
), . . . ,
k
= (P
k
,
k
, V
k
) be k IPCPs.
Let = (
1
[ . . . [
k
) be the oracle combination of
1
, . . . ,
k
, and let U
i
be the modied version
of V
i
which asks its oracle queries from rather than
i
by adding the prex i and asking (i, q)
from . We dene the sequential
seq
= (P
seq
,
seq
, V
seq
), parallel
par
= (P
par
,
par
, V
par
) and
concurrent
con
= (P
con
,
con
, V
con
) composition of
1
, . . . ,
k
, in order, as the sequential, parallel,
and concurrent composition of (P
1
, U
1
), . . . , (P
k
, U
k
) (note that
seq
=
par
=
con
= ). In case of
parallel composition the emulated veriers ask their oracles queries also in parallel. Namely, let U
j
i
denote the jth round of the oracle algorithm U
i
(i.e., after it asks its (j 1)th query and before
it asks its jth query from the prover P
i
). Similarly let V
j
par
denote the jth round of the oracle
algorithm V
par
. The oracle algorithm V
j
par
will be the parallel composition of the oracle algorithms
U
j
1
, . . . , U
j
k
according to Denition 2.7.
The denition above describes the honest behavior of the prover, oracle, and the verier in
various forms of composition. The way malicious parties can behave in such compositions is deter-
mined both by the denition of the composition and the IPCP model. In particular, although in all
forms of composition the emulated V
i
asks its oracle queries from by adding a prex i (simulating
12
the query being asked from
i
), since the oracle is accessible by the verier all along, a malicious
verier is allowed to ask any query from the oracle . Also in the case of concurrent composition,
it might be useful for a malicious stateful oracle to gather more queries from the verier before
responding to them.
Note that similar to the case of interactive algorithms, the soundness and SZK of the concurrent
composition imply those properties (with the same parameters) for the sequential and parallel
compositions.
Lemma 2.13 (Properties of composition of IPCPs). Let
1
= (P
1
,
1
, V
1
), . . . ,
k
= (P
k
,
k
, V
k
) be
k IPCPs, and let
seq
,
par
and
con
be in order their sequential, parallel, and concurrent composi-
tions. It holds that:
1. Soundness: If
i
is (1
i
)-sound for input x for all i [k], then
con
(and in particular
seq
and
par
) will have soundness 1
i
over the input x.
2. Adaptive-soundness: If
i
is (1
i
)-adaptively-sound for input x for all i [k], then
seq
will have adaptive-soundness 1
i
over the input x.
3. SZK: If (P
i
,
i
, V
i
) is (u,
i
)-SZK for the language L with a straight-line simulator for all
i [k], then
con
(and in particular
seq
and
par
) will be (u,
i
)-SZK for the language L
with a straight-line simulator.
In the case of sequential composition of interactive protocols it was not necessary for the simu-
lator to be straight-line to get Part 2 of Lemma 2.6, but as we will see in the proof of Lemma 2.13,
in the case of IPCPs since the verier is allowed to query the oracle whenever she wants, we need
the simulator to be straight-line even in the case of sequential composition.
Proof. (of Lemma 2.13)
Soundness. Let
P be an arbitrary prover and = (
1
[ . . . [
k
) an arbitrary oracle where
i
is
the oracle accessed by the emulation of V
i
in V
con
. We claim that Pr['
P, V
` = 1]
i
p
i
and the
reason is as follows. Let V
t
i
= V
i
i
be the interactive algorithm where the oracle
i
is hardwired into
the algorithm V
i
(note that V
t
i
is inherently inecient). Now the interactive algorithm V
t
= V
con
is the same as the concurrent composition of V
t
1
, . . . , V
t
k
. The crucial point is that the interactive
algorithm V
t
i
is well-dened regardless of which other interactive algorithms are run in parallel.
That is because
i
is a xed oracle and its answers only depend on the queries that V
i
is asking
from it (i.e.,
i
s answers do not change depending on other queries asked by other V
j
s). Let
t
i
= max
P
Pr['P, V
t
i
` = 1], then by the soundness hypothesis it holds that
t
i
= max
P
Pr['P, V
t
i
` = 1] max
P,
Pr['P, V
i
` = 1]
i
.
Therefore by Part 1 of Lemma 2.6, it holds that
Pr['
P, V
con
` = 1] max
P
Pr['P, V
t
` = 1]
t
i
i
.
Adaptive-soundness. Suppose the sequential executions of
1
, . . . ,
k
do not lead to a reject.
Then by the (1
i
)-adaptive-soundness of
i+1
, V
i+1
will accept with probability at most
i
regardless of what has happened in the previous interactions and even if
i+1
is stateful. Thus the
probability that all of V
i
s accept is bounded by
i
.
13
SZK. For an arbitrary IPCP = (P, , V ) let (P
u
, V ) be the interactive protocol in which P
u
answers both the queries of V from the prover P and up to u oracle queries of V asked from . If
P, and P
u
are honest, then from the point of view of a verier V who asks at most u oracle queries
there is no dierence between interacting with P
u
or (P, ). Therefore (P
u
, V ) is -SZK for any
language L (with a straight-line simulator) if and only if is (u, )-SZK for L (with a straight-line
simulator). Now by Part 2 of Lemma 2.6 and using the fact that
i
is (u,
i
)-SZK, it follows that
(P
u
i
, V
i
) is
i
-SZK for L. Let (P
u
con
, V
con
) be the concurrent composition of (P
u
i
, V
i
)s for i [k]. By
Part 2 of Lemma 2.6 (P
u
con
, V
con
) is (
i
)-SZK for L. On the other hand, if we restrict a verier
V to ask at most u queries from a combined oracle = (
1
, . . . ,
k
), the number of queries that
V can ask from the ith sub-oracle
i
(by adding the prex i to the query) is also bounded by u.
Therefore the (
i
)-SZK property of (P
u
con
, V
con
) implies that
con
is (u,
i
)-SZK for L.
We shall point out that since in the sequential composition
seq
a cheating verier
V
seq
can
ask arbitrary queries to the oracle
seq
at any time during the interaction, therefore the behavior
of
V
seq
in
seq
does not necessarily correspond to a cheating verier interacting in the sequential
composition of (P
u
i
, V
i
)s. However any cheating verier
V
con
participating in
con
(and in particular
participating in
seq
and
par
) always corresponds to a cheating verier interacting in a concurrent
composition of (P
u
i
, V
i
)s.
2.5 Interactive Locking Schemes
An Interactive locking scheme is a commitment scheme implemented in the IPCP model. A similar
denition appeared in [KPT97] without the interaction (i.e. only with an oracle), but as we will
see in Theorem 4.1 non-interactive locking schemes are inherently inecient and therefore not as
applicable in cryptographic settings.
Denition 2.14 (Interactive locking scheme). Let = (S, , R) be an ecient IPCP (where we
call S the sender, the locking oracle and R the receiver) of the following form:
The common input is of the form 1
n
where n is the security parameter.
(S, ) receive a private input w W
n
which is called the committed message as well as the
private randomness r
S
. The receiver R gets the randomness r
R
.
The receiver R gets oracle access to the locking oracle and R
`] = 0
then Sam(, w) outputs r according to the distribution (r
S
[ , w). Namely r is sampled
according to the distribution of the private randomness r
S
of (S, ) conditioned on w being
the committed message and being the transcript of the commitment phase.
We simply call the ILS u-secure if it is (1 1/u)-binding and (u, 1/u)-hiding.
Public-coin ILS. Since ILSs are IPCPs by denition, we dene an ILS to be public-coin similar
to the way we dened public-coin IPCPs. Note that the soundness of an ILS might decrease when
considered as a public-coin system.
Round-complexity of ILS. Since the interactive part of the decommiemnt phase of any ILS
consists only of one message from the sender S to the receiver R, by the round-complexity of any
ILS we only refer to the number of rounds during its commitment phase.
15
Composition of ILSs. Dierent forms of composition of IPCPs can be applied to ILSs just
as well, but here we are interested in their parallel composition and a specic variant of it. In
any k-fold composition of the ILSs the sender receives k private messages w
1
, . . . , w
k
where each
w
i
W is used as the private message in the ith ILS. Therefore the message space of the composed
ILS potentially increases from W to W
k
. We use parallel composition to expand the message space.
We use a variant of parallel composition which uses the same message in all composed ILSs to to
amplify the soundness of an ILS.
Denition 2.16 (Parallel Compositions of ILSs). Let
1
= (S
1
,
1
, R
1
), . . . ,
k
= (S
k
,
k
, R
k
) be
k ILSs. By
par
= (S
par
,
par
, R
par
) we mean the the parallel composition of
1
, . . . ,
k
as IPCPs
according to Denition 2.12. Namely, during the decommitment phase the sender S
par
sends the
message ((w
1
, r
P
1
), . . . , (w
k
, r
P
k
)) to the receiver R
par
who emulates the interactive algorithm R
i
over the message (w
i
, r
P
i
) for i [k] (and accepts if all of them accept).
By a same-message (parallel) composition
smp
= (S
smp
,
smp
, R
smp
) of
1
, . . . ,
k
we mean
their parallel composition where the receiver enforces the condition that the same w
1
= w
2
= =
w
k
W is used as the commmitted message in all of
1
, . . . ,
k
. Namely, in the decommitment
phase of
smp
, the sender S
smp
sends (w, r
S
1
, . . . , r
S
k
) to the receiver R
smp
and the receiver runs
the verication algorithm similar to R
par
but over the message ((w, r
P
1
), . . . , (w, r
P
k
)).
Note that the message space of the same-message composition
smp
stays the same as W (as
opposed to the regular parallel composition
par
which expands the message space to W
k
).
Lemma 2.17 (Properties of parallel compositions of ILSs). Let
1
= (S
1
,
1
, R
1
), . . . ,
k
=
(S
k
,
k
, R
k
) be k ILSs with the same round complexity and the same message space W, and let
par
= (S
par
,
par
, R
par
) and
smp
= (S
smp
,
smp
, R
smp
) be their parallel and same-message composi-
tions. Then we have:
1. Binding: If
i
is (1
i
)-binding for all i [k], then
par
is (1
i
)-binding and
smp
is
(1
i
)-binding.
2. Hiding: If
i
is (u,
i
)-hiding for all i [k], then
par
and
smp
are both (u,
i
)-hiding.
3. Equivocability: If
i
is equivocable for all i [k], then both of
par
and
smp
are also
equivocable.
Proof. .
Binding. S
par
of
par
gets bound to a message (w
1
, . . . , w
k
) if all of S
i
s for i [k] get bound to
a message w
i
. By the union bound and the (1
i
)-binding of
i
with probability at most
i
by
the end of the commitment phase there exist an i [k] where S
i
is not bound to a xed w
i
. Thus
S
par
has binding at least (1
i
).
On the other hand, since S
smp
is forced to use the same message w in all of R
i
s, S
smp
gets
bound to a message w if for at least one i [k] R
i
gets bound to a message w. Recall that
the latter happens whenever the inecient modication of the receiver R
t
i
dened in binding part
of Denition 2.15 rejects and by the binding of
i
this rejection happens with probability at least
1
i
. Therefore by the soundness amplication of parallel composition of IPCPs (Part 1 of Lemma
2.13), with probability 1
i
at least one of R
t
i
s reject in the execution of S
smp
in which case
the sender S
smp
gets committed to at most one possible message w.
16
Hiding. We use a standard hybrid argument (which works the same for both
par
and
smp
). Fix
any two messages w
1
= (w
1
1
, . . . , w
1
k
), w
2
= (w
2
1
, . . . , w
2
k
) and consider k +1 experiments as follows.
In the ith experiment for 0 i k, we use a parallel composition of
1
, . . . ,
k
while for 0 j i
the committed message in
j
is w
1
j
and for i + 1 j k, the committed message in
j
is w
2
j
.
Fix any malicious receiver
R
par
who asks at most u queries from its locking oracle . Let
i
be the
random variable which consists of the transcript of the commitment phase in the ith experiment.
If SD(
0
,
k
) >
i
, then there should exist i [k] such that SD(
i1
,
i
) >
i
. Therefore
R
par
can
distinguish between the experiments i 1 and i with advantage
i
. Now we claim that there exists
a malicious receiver
R that can break the
i
-hiding of
i
by
i
-distinguishing the two experiments
where in the rst one w
1
i
and in the second one w
2
i
is used as the committed message in
i
.
R will
run
R
par
while simulating the k 1 other senders and oracles of
R
par
as follows. For
0
, . . . ,
i1
i
. In other words
the statistical distance between the view of
R in the two experiments is at most 3
i
.
Experiment Real:
1. (w
1
, . . . , w
k
) is sampled according to the distribution D, (r
1
, . . . , r
k
) is sampled uniformly at
random and (S
i
,
i
) receives (w
i
, r
i
) as its private message and randomness.
2.
R interacts with (S
1
,
1
), . . . , (S
k
,
k
) in parallel till the end of the commitment phases.
3.
R selects an arbitrary set B [k] and receives (w
i
, r
i
) for all i B.
4.
R can continue asking up to u oracle queries (including the previous queries asked) from the
combined oracle = (
1
[ . . . [
k
).
18
Experiment Simul:
1. (r
t
1
, . . . , r
t
k
) is sampled uniformly at random and (S
i
,
t
i
) receives (0, r
t
i
) as its private message
and randomness.
2.
R interacts with (S
1
,
t
1
), . . . , (S
k
,
t
k
) in parallel till the end of the commitment phases.
3.
R selects a subset B [k]. At this point (w
1
, . . . , w
k
) is sampled according to D, and r
i
is
sampled at random conditioned on being consistent with w
i
and the transcript of 'S
i
,
i
`.
Then
R receives (w
i
, r
i
) for all i B.
4. Now for all i B let
i
be the oracle generated with (w
i
, r
i
) as its private message and
randomness, and for all i [k] ` B let
i
be the same as
t
i
. Let the combined oracle be
dened as = (
1
[ . . . [
k
).
R can continue asking up to u oracle queries (including the
previous queries) from the combined oracle .
Proof. We will use several hybrid arguments. We rst dene one more experiment:
Experiment Mixed:
1. (r
t
1
, . . . , r
t
k
) is sampled uniformly at random and (S
i
,
t
i
) receives (0, r
t
i
) as its private message
and randomness.
2.
R interacts with (S
1
,
t
1
), . . . , (S
k
,
t
k
) in parallel till the end of the commitment phases.
3.
R selects a subset B [k]. At this point (w
1
, . . . , w
k
) is sampled according to D, and r
i
is
sampled at random conditioned on being consistent with w
i
and the transcript of 'S
i
,
i
`.
Then
R receives (w
i
, r
i
) for all i B.
4. Now for all i k let
i
be the oracle generated with (w
i
, r
i
) as its private message and
randomness, and let the combined oracle be dened as = (
1
[ . . . [
k
).
R can continue
asking up to u oracle queries (including the previous queries) from the combined oracle
t
.
Claim 3.5. For any receiver
R who asks at most u oracle queries, the statistical distance between
the view of
R in Real and Mixed is at most
i
.
Proof. Let
mixed
and
real
be the transcript of the commitment phases in the experiments Mixed
and Real. As a mental experiment suppose:
1. In Mixed, the sampling (w
1
, . . . , w
m
) D
k
is done at the beginning (similar to Real).
2. In both Real and Mixed, the random seeds (r
1
, . . . , r
k
) are chosen after the commitment
phases are done, conditioned on the transcript of the commitment phases (
mixed
or
real
) and
(w
1
, . . . , w
m
).
Now the only dierence between Real and Mixed is in the statistical distance between (w
1
, . . . , w
k
,
mixed
)
and (w
1
, . . . , w
k
,
real
) in the two experiments. The crucial point is that the distribution of r
i
s
conditioned on (w
1
, . . . , w
k
, ) are independent and thus the way they are sampled in Real and
Mixed (conditioned on (w
1
, . . . , w
k
, )) is the same. Now suppose the statistical distance between
(w
1
, . . . , w
k
,
mixed
) and (w
1
, . . . , w
k
,
real
) is more than
i
. Then by an average argument we can
19
x the value of (w
1
, . . . , w
k
) and still keep the statistical distance to be more than
i
. Namely
for xed values of (w
1
, . . . , w
k
), the statistical distance between
mixed
and
real
is more than
i
.
Notice that the dierence between Mixed and Real (after xing (w
1
, . . . , w
k
)) is that
mixed
is gen-
erated with (0, . . . , 0) as the private messages while
real
is generated with (w
1
, . . . , w
k
). But this
contradicts the hiding property of parallel composition of ILSs (i.e. Part 2 of Lemma 2.17).
The following claim together with Claim 3.5 (and the triangle inequality over the statistical
distances) nishes the proof.
Claim 3.6. For any receiver
R who asks at most u oracle queries, the statistical distance between
the view of
R in Mixed and Simul is at most
i
2
i
.
Before proving Claim 3.6 consider the following two experiments.
Experiment Com0Dec0:
1.
R interacts with (S
i
,
i
) in the commitment phase conditioned on 0 being the private message
of (S
i
,
i
).
2.
R can continue asking up to u oracle queries.
Experiment Com0Decw:
1.
R interacts with (S
i
,
i
) in the commitment phase conditioned on 0 being the private message
of (S
i
,
i
).
2. A randomness of the sender r
S
is sampled conditioned on the view of
R and w being the
private message.
3.
R can continute asking up to u oracle queries, but the oracle answers will be based on (w, r
S
)
being the private message and the randomness of the oracle.
Claim 3.7. For any message w, any receiver
R who asks at most u oracle queries can distinguish
between the Com0Dec0 and Com0Decw by an advantage of at most 2
i
.
Proof. Let the experiment ComwDecw be an experiment similar to Com0Decw where the transcript
of the commitment phase was generated conditioned on w being the private message. By the (u,
i
)-
hiding of the ILS
i
the statistical distance between the view of
R in Com0Dec0 and ComwDecw
is at most
i
. We can apply Lemma 2.2 (with X, Y , and Z being in order the view of
R in
Com0Dec0, ComwDecw, and Com0Decw, and the rst part of each random variable being the view
of the commitment phase) to conclude that the statistical distance of view of
R in Com0Dec0 and
Com0Decw is at most 2
i
.
Proof. (of Claim 3.6) Suppose
R can distinguish between Simul and Mixed with advantage more
than
i
. By an average argument we can get x the sample (w
1
, . . . , w
k
) D
x
and use it in
Simul and Mixed and keep the distinguishing advantage of
R more than
i
. Now we use a hybrid
argument. For 0 j k, dene the jth hybrid experiment as follows.
20
Experiment Hybrid
j
1. (r
t
1
, . . . , r
t
k
) is sampled uniformly at random and (S
i
,
t
i
) receives (0, r
t
i
) as its private message
and randomness.
2.
R interacts with (S
1
,
t
1
), . . . , (S
k
,
t
k
) in parallel till the end of the commitment phases.
3.
R selects a subset B [k]. At this point (w
1
, . . . , w
k
) is sampled according to D, and r
i
is
sampled at random conditioned on being consistent with w
i
and the transcript of 'S
i
,
i
`.
Then
R receives (w
i
, r
i
) for all i B.
4. Now for all i B [j] let
i
be the oracle generated with (w
i
, r
i
) as its private message and
randomness, and for all i [k] ` (B [j]) let
i
be the same as
t
i
. Let the combined oracle
be dened as = (
1
[ . . . [
k
).
R can continue asking up to u oracle queries (including the
previous queries) from the combined oracle .
Note that Hybrid
0
= Simul and Hybrid
k
= Mixed (with the mentioned dierence that (w
1
, . . . , w
k
)
is xed now). Therefore if
R can distinguish between Simul and Real with advantage more than
i
2
i
, then there exists i [k] such that
R can distinguish between Hybrid
i1
and Hybrid
i
with
advantage more than 2
i
. It is easy to see (similar to the proof of Part 2 of Lemma 2.17) that
R
can be converted into another malicious receiver
R
i
who asks at most u oracle queries and is able
to distinguish between Com0Dec0 and Com0Decw
i
with advantage more than 2
i
. But the latter is
not possible because of Claim 3.7.
Therefore Lemma 3.4 follows from Claims 3.6 and 3.5 and the triangle inequality over the
statistical distance.
4
Now we prove Theorem 3.1 using Lemma 3.3 and Lemma 3.4.
Proof. (of Theorem 3.1) Let L NP, and let x be an input to an IPCP for L. By using the
Cook-Levin reduction one can eciently compute (from x) a graph G where x L i G 3COL,
and moreover any witness for x L can be eciently converted into a witness for G 3COL and
vice versa. So we would assume that the parties always will run the Goldreich-Levin reduction rst
and then will work with a graph G as their input where G has n = [N[ vertices and m = [M[ edges.
By a padding argument we can always assume that n [x[ and so any u(n)-secure IPCP for 3COL
will yield a u(n)-secure IPCP for L as well. Therefore without loss of generality will work with
L = 3COL directly.
We use the zero-knowledge construction of [GMW91] which in turn uses a commitment scheme.
For the needed commitment scheme we use the ILS = (S, , R) of Lemma 3.3.
Construction 3.8 (Weakly-sound SZK-IPCP for 3COL). Let w: [n] 1, 2, 3 be a proper 3-
coloring for G where w(i) = w(j) if i = j. Let = (S, , R) be the ILS of Lemma 3.3 and let w be
the secret input given to (S, ). The IPCP = (P, , V ) is as follows.
4
Note that the reductions in various hybrid arguments in the proof of Lemma 3.4 are not ecient, but they keep
the number of queries asked by
R bounded (which was sucient). The reductions can be done eciently if is are
equivocable.
21
1. The prover P chooses s S
3
at random where S
3
is the set of all permutations over the set
1, 2, 3. P uses s to randomize the coloring w to get a new 3-coloring of G as c(i) = s(w(i))
for all i N. Note that c is also a proper 3-coloring of G. Moreover for any edge (i, j) M
it holds that (c(i), c(j)) is uniformly distributed over 1, 2, 3
2
conditioned on c(i) = c(j).
2. The prover P and the verier V will engage in an n-fold parallel composition of the com-
mitment phase of the ILS where c(i) and r
i
are, in order, the committed message and the
private randomness used by (S
i
,
i
) (in the ith instance of ). The interaction of this step
stops right before the decommitment phases start.
3. The verier V chooses an edge (i, j) M at random and sends (i, j) to the prover P.
4. The prover decommits the ith and jth instances of by sending (c(i), r
i
) and (c(j), r
j
) to
the verier V .
5. The verier V veries (c(i), r
i
), (c(j), r
j
) as decommitments of the ith and jth and rejects if
either of them fail or if c(i) = c(j).
Claim 3.9. The IPCP = (P, , V ) of the Construction 3.8 has the following properties.
1. Completeness: If G is a 3-colorable graph, then Pr['P, V
`(G) = 1] = 1.
2. Soundness: is
1
2m
-sound. Namely, if G is not 3-colorable, then Pr['P, V
`(G) = 0]
1
2m
.
3. SZK: is (2
(n)
, 2
(n)
)-SZK with a straight-line simulator.
4. Eciency: can be implemented eciently (when (P, ) are given a proper coloring w of
G as their private input).
5. Round-complexity: If the commitment phase of has t rounds, then has round com-
plexity t + 1.
6. Public-coin: is public-coin if is public-coin.
Proof. .
Completeness. The completeness follows from the completeness of and the fact that w is a
proper coloring.
Soundness. Suppose G is not 3-colorable. Since runs n instances of in parallel, by Part 1
of Lemma 2.17, with probability at least 1 n, by the end of the commitment phases, for each
i [n] there is at most one possible c(i) that the prover can decommit to (together with some
randomness r
i
) successfully. In the following we assume that such event has happened. Now for
each i [n] let c(i) be the possible color that the prover can decommit to and let c(i) = if such
color does not exist. Since G is not 3-colorable, with probability at least 1/m the verier chooses
an edge (i, j) such that either c(i) = , or c(j) = , or c(i) = c(j). But in all these cases the verier
will reject. Therefore the verier will reject at some point during he interaction with probability at
least (1 n)
1
m
. Recall that had hiding 1 1 2
(n)
, which means that has soundness
(1 n)
1
m
1n2
(n)
m
1
2m
.
22
SZK. Suppose
V is a malicious verier which asks up to u queries from where (of Lemma
3.3) is (u, )-hiding. The simulator Sim starts by plugging in a random seed for
V and interacting
with
V similar to the way that (P, ) would do. But the problem is that Sim is not given the
coloring w and cannot get the randomized proper coloring c. Instead Sim does the following.
1. Sim uses the trivial (and most probably improper) coloring c(i) = 0 for all i N and interacts
with
V .
2. After receiving the edge (i, j) M from
V , the simulator chooses (c(i), c(j)) 1, 2, 3
2
conditioned on c(i) = c(j) and chooses r
t
i
(resp. r
t
j
) at random conditioned on being consistent
with c(i) (resp. c(j)) and the transcript of 'S
i
,
i
` (resp. 'S
j
,
j
`). The latter is possible
because of the equivocability of .
3. Sim answers the remaining oracle queries of
V , but it pretends that (c(i), r
t
i
) and (c(j), r
t
j
) are
the private message and randomness used in order by
i
and
j
. (For queries to other oracles
t
where t i, j, Sim continues using (0, r
t
) as the message and the randomness used for
the oracle
t
.)
When one is interacting with the honest prover P and the honest oracle , for any xed edge
(i, j) M the distribution of the colors of its vertices (c(i), c(j)) is uniformly distributed over
1, 2, 3
2
conditioned on c(i) = c(j). Therefore by Lemma 3.4, the simulator Sim generates a
view for
V which is 3
i[n]
= (3n)-close to the view of
V when interacting with the honest
prover and the oracle (P, ). Since is (u, ) = (2
(n)
, 2
(n)
)-hiding, it follows that has SZK
(2
(n)
, 3n2
(n)
) = (2
(n)
, 2
(n)
) with a straight-line simulator.
The eciency, round-complexity, and public-coin properties are immediate.
Finally let
2R
be an mn-fold parallel composition of . By Part 1 of Lemma 2.13,
2R
has soundness 1 (1 1/2m)
mn
= 1 2
(n)
. Also by Part 3 of Lemma 2.13
2R
has SZK
(2
(n)
, mn2
(n)
) = (2
(n)
, 2
(n)
) with a straight-line simulator. Clearly
2R
remains complete,
ecient, and 2-round and this nishes the proof of Theorem 3.1.
Proof. (of Theorem 3.2) To prove Theorem 3.2 it is enough to get an SZK-IPCP with non-negligible
adaptive soundness. Then by Part 2 of Lemma 2.13 we can use the sequential composition to amplify
the adaptive-soundness.
Note that if the verier asks only one query from the oracle, then there is no dierence between
soundness and adaptive-soundness.
A construction of [BGKW88] takes any multi-prover interactive proof system and compiles it
into a 2-prover system with non-negligible soundness where the verier asks only one query from
the oracle. The construction of [BGKW88] is as follows. The verier sends its randomness r
V
to
the rst prover and gets a full simulation of its interaction with the original multi-prover system.
Then, in order to make sure that the rst prover did not lie, one of the query/answer pairs claimed
by the rst prover is chosen at random and is veried by the second prover. If the answers were
dierent the verier rejects. It is easy to see that if the rst prover does not simulate the game
honestly as a simulation of the multi-prover case, then it will be caught with probability roughly
1/v where v is the total number of queries of the interaction being simulated. (We refer the reader
to [BGKW88] for more details).
23
As a rst try, we use the construction of [BGKW88] to compile our SZK-IPCP of Theorem
3.1 into one with non-negligible adaptive-soundness and only one oracle query. Namely, we starts
ask the verier to send its randomness to the prover who simulates the whole execution of the
original system. Then we choose one of the query/answer pairs claimed by the prover and verify its
correctness with the oracle (who is supposed to know the answer to such queries). Unfortunately,
the problem with this construction is that the verier is also able to reset the original prover
through the new oracle. That is because the new oracle is supposed to know the answer to all the
queries to the original prover and there is no restriction on which queries the verier will ask from
the oracle. Therefore we loose the SZK property.
To keep the SZK property, as a second try, we change the construction above as follows. The
verier will choose only one of the oracle queries, simulated by the new prover, and veries that
query with the new oracle. Now if the prover lies about any of the oracle-type simulated queries,
it still will be caught by the verier with non-negligible probability. Unfortunately, this time we
might loose the soundness. The reason is that if the soundness of the original system relies on
the oracle queries being hidden from the prover, since in the new simulation we are revealing the
oracle queries of the original system to the prover, the prover might honestly simulate the oracle
queries but use this knowledge to lie about the simulated queries of the original prover. But the
good news is that if the original construction of SZK-IPCP was public-coin, then the soundness is
still guaranteed even if the prover gets to see the oracle queries, and so in this case we do not loose
the soundness! More formally we use the following construction.
Construction 3.10 (From soundness to weak adaptive-soundness). Let = (P, , V ) be an IPCP.
We construct new IPCP
t
= (P
t
,
t
, V
t
) as follows.
PCP oracle: The (honest) oracle
t
will be the same as .
The interaction of P
t
and V
t
:
1. V
t
chooses a randomness r
V
for V and interacts with P
t
similar to the interaction of V
and P. The main dierence is that any time that V needs to ask a query from , V
t
will ask this query from the prover P
t
instead.
2. At this time V
t
has a full description of a possible interaction between V
and P and
rejects if V would reject in this interaction.
3. Suppose q
1
, . . . , q
v
are the oracle queries that were asked from the prover P
t
and let a
i
be the answer claimed by P
t
for the oracle query q
i
. If V
t
didnt reject in the previous
step, it will chooses a random i [v] and queries q
i
from the oracle
t
. Let a
t
i
=
t
(q
i
)
be the answer. V
t
rejects if a
i
= a
t
i
.
Claim 3.11 (Properties of Construction 3.10). Let = (P, , V ) be an (ecient) public-coin IPCP
for the language L which is (1 )-sound, (u, )-SZK and public-coin where the honest verier V
asks at most v oracle queries. When is used in Construction 3.10 the result is an (ecient) IPCP
t
= (P
t
,
t
, V
t
) for the language L which is (u v, )-SZK, and is (1 )/v-adaptively-sound.
Proof. .
24
SZK. Any simulator Sim for with parameters (u, ) can be used to get a simulator Sim
t
for
t
with parameters (u v, ). The reason is that the view of any malicious verier
V
t
in
t
who asks
at most u v can be simulated by another malicious verier
V in who uses
V
t
as a black box
(and in a straight-line manner). The verier
V runs
V
t
and whenever
V
t
asks an oracle query from
the prover P
t
,
V also asks this query from the oracle . Thus any (straight-line) simulator for
V
can be used to simulate the view of
V
t
with the same statistical distance .
Adaptive soundness. Since the verier asks only one query from
t
, it does not matter whether
t
is stateful or not. More formally, for any potentially stateful
t
we dene a (stateless) oracle
tt
which given the query x answers according to
t
when
t
is asked only the query x. Note that from
the point of view of V
t
there is no dierence between
t
and
tt
, so we might as well assume that
V
t
asks its query from the stateless oracle
tt
.
Let Rej be the event that V
t
rejects. By the soundness of as a public-coin IPCP if P
t
answers
all of q
1
, . . . , q
v
honestly according to
tt
, then it would hold that Pr[Rej] 1. It is crucial that
is public-coin, because in the interaction of V
t
and P
t
, P
t
gets to know the oracle queries of V and
the soundness should hold even in this case. But a malicious prover
P
t
can change Pr[Rej] by lying
about the answer to some of q
i
s. Let Lie be the event that there exists i [v] such that a
i
=
tt
(q
i
),
and let NoLie be the complement event that a
i
=
tt
(q
i
) for all i [v]. By the (1 )-soundness of
the public-coin IPCP it still holds that:
Pr[Rej NoLie] (1 ) Pr[Lie]. (3.1)
On the other hand if Lie happens then P
t
will be caught with probability at least 1/v, and so
Pr[Rej [ Lie] 1/v. (3.2)
Therefore we conclude that
Pr[Rej] = Pr[Rej NoLie] + Pr[Rej Lie]
max(0, 1 Pr[Lie]) + Pr[Lie] Pr[Rej [ Lie] by Inequality 3.1
max(0, 1 Pr[Lie]) + Pr[Lie]
1
v
by Inequality 3.2
(1 )/v. Achieved by Pr[Lie] = 1
We use Construction 3.10 over the IPCP = (P, , V ) of Theorem 3.1 to get a new IPCP
t
= (P
t
,
t
, V
t
). Let v = poly(n) be the number of oracle queries of V in . Since is public-
coin and is 2
(n)
-secure, therefore
t
will have adaptive-soundness 1/(2mv) = 1/poly(n) and SZK
(2
(n)
v, 2
(n)
) = (2
(n)
, 2
(n)
).
Finally let
adap
be a mvn-fold sequential composition of
t
. By Part 2 of Lemma 2.13,
adap
has adaptive-soundness 1 (1 1/(2mv))
mvn
= 1 2
(n)
. Also by Part 3 of Lemma 2.13
adap
has
SZK (2
(n)
, mvn2
(n)
) = (2
(n)
, 2
(n)
) and this nishes the proof of Theorem 3.2.
25
4 Interactive Locking Schemes
In this section we study ILSs and will construct an ILS with optimal round complexity.
Theorem 4.1. (A round-optimal ILS) Let (n) = poly(n), then
1. There exist an ecient ILS = (S, , R) for the message space 0, 1
with security 2
(n)
which has a commitment phase of only one round and is public-coin.
2. Any ILS with a noninteractive commitment phase needs an inecient oracle and thus
has optimal round-complexity (as an ecient ILS).
First, in Section 4.1 we present a general construction for ILSs from any interactive hashing
scheme (IHS) (see Denition 4.2) where the round-complexity of the used IHS equals the round-
complexity of the commitment phase of the constructed ILS. Using known constructions for IHS we
get an ILS with a 2-round commitment phase. We show that this is the best one can get through
this approach by showing that any IHS with the parameters needed for our construction requires
at least 2 rounds (see Proposition 4.5).
Then in Section 4.2 we present a direct construction for ILS with only one round of interaction in
the commitment phase. Both constructions of Sections 4.1 and 4.2 are 2
(n)
-secure and public-coin.
Thus the 1-round construction of Section 4.2 proves Part 1 of Theorem 4.1.
Finally in Section 4.3 we will show that at least one round of interaction is needed in the
commitment phase of any ecient ILS (proving Part 2 of Theorem 4.1).
4.1 ILS from IHS
Interactive hashing schemes (IHS Denition 4.2) and their variants have been of great use in
designing cryptographic protocols. Although the core central properties needed for IHSs in all these
applications is of an information theoretic avor, in the applications of IHSs in the computational
regime [OVY93a, OVY93b, HHK
+
05, HR07], compared to the applications in the information
theoretic regime [CCM98, CCM98, DHRS04]) some extra properties are required for the IHS used.
Here we use a minimal denition whose properties hold in all existing forms of IHS in the literature
and show that the existence of any IHS according to this denition implies the existence of ILS.
Denition 4.2 (Interactive hashing). An interactive hashing scheme (IHS) = (S, R) is a two
party protocol between a sender S and a receiver R where both are given 1
n
as the security
parameter and S is also given w M as the private message. By the end of the protocol the
transcript of the protocol determines two outputs w
0
= w
1
0, 1
n
for which the following
properties hold.
Completeness: If S and R are honest, then w w
0
, w
1
.
Binding: The protocol is -binding, if for every xed set T W of size [T[ [W[ and
any malicious sender
S the probability that both of w
0
and w
1
lie in T is at most 1/2; namely
Pr
/
S,R)=(w
0
,w
1
)
[w
0
, w
1
T] 1/2.
Hiding: If the sender S is honest, then for any transcript of the protocol which determines
the outputs (w
0
, w
1
) it holds that Pr
w|w
0
,w
1
[w = w
0
[ ] = Pr
w|w
0
,w
1
[w = w
1
[ ] = 1/2.
Therefore if, w W is chosen uniformly at random, w
0
and w
1
will have the same chance of
being equal to w.
26
We call ecient if both S and R are ecient and public-coin if the messages of the receiver R
only consist of her public coin tosses.
It is easy to see that if R simply sends a 2-to-1 pairwise-independent hash function h: 0, 1
n
0, 1
n1
to S and S sends back h(w), it gives a -binding IHS for 2
n/2
. But, as we will see
in Lemma 4.3 for our construction of ILS from IHS (Lemma 4.3) we need IHSs with non-negligible
binding = (1/poly(n)).
Lemma 4.3 (ILS from IHS). Let = (S
, R
S can invert (i.e., present x such that y = f(x)) and claim that y was his private message. So if at
the last step of the commitment phase
S sends a bit d = b c where b is his bit-message and y is
such that y = y
c
, then she gets committed to only one possible value for b for which she can nd a
consistent c.
5
But here we are interested in unconditionally secure protocols and we can not rely on the
existence of one-way permutations or any other computational assumption. The idea is to use the
locking oracle to hold a random (non-zero) point function (x) = y where the sender knows the
image y and the preimage x and thus can invert y to x. By using the IHS over the image y,
the sender gets committed to a unique y (with probability at least 1/2) assuming that there are
5
The argument needs to be formalized through an ecient reduction and we refer the reader to the rather
complicated full proof of [NOVY98].
27
fewer than 2
n
many invertible points in the set (0, 1
n
). But the receiver can guarantee
that the latter is the case by picking 100/ random samples x
t
0, 1
n
(conditioned on x = x
t
)
and verifying that (x
t
) = 0.
Proof. (of Lemma 4.3) We rst describe the bit-ILS = (S, , R).
Construction 4.4 (Bit-ILS from IHS). Let b 0, 1 be the private message hold by (S, ). We
will use the IHS with the properties described in Lemma 4.3 over the message space 0, 1
n
with
binding .
The commitment phase of :
1. The common randomness r
R
of (R, ) will be (x, y) 0, 1
n
0, 1
n
where y = 0. The
locking oracle will contain a point function: (x) = y and (x
t
) = 0 for x
t
= x.
2. S and R engage in the IHS where the sender S uses y as the private message of S
.
3. Let b be the private bit given to S, and let (y
0
< y
1
) be the output of the protocol and let
c be such that y = y
c
. As the last message of the commitment phase the sender S sends the
bit d = b c to the receiver R. Note that this does not require an extra round of interaction
since d can be concatenated to the last message of the sender.
The decommitment phase of :
1. S sends b and (x, y) to R.
2. R veries that (x) = y and y = y
db
(and rejects otherwise).
3. For i [n/] the receiver R samples x
t
i
0, 1
n
conditioned on x
t
i
= x at random and
veries that (x
t
i
) = 0 holds for all i [n/] (and rejects otherwise).
Now we prove the properties of the ILS of Construction 4.4.
Completeness is immediate.
Binding. Let T = (x) [ x 0, 1
n
` 0 and T
1
= x [ (x) = 0 be the set of non-zero
points in the oracle . There are two cases: either T
1
has size [T
1
[ 2
n
or [T
1
[ < 2
n
.
If the rst case [T
1
[ 2
n
holds, then with probability at least 1 (1 )
n/
> 1 2
n
one of
the receivers samples x
t
i
will be sampled from T
1
and then the receiver R rejects. (The way we
described the protocol the random samples x
t
i
s are chosen in the decommitment phase, but they
are part of the randomness r
R
of the receiver and are chosen in the beginning of the commitment
phase.)
On the other hand, if the second case [T
1
[ < 2
n
holds, it implies that the size of [T[
[T
1
[ < 2
n
is small as well. Now by the binding property of the IHS , with probability at least
1/2 one of y
0
, y
1
lies out of T in which case there is only one way for the sender S to decommit
to a bit b consistent with y
0
, y
1
and d. Therefore the 1/2-binding holds in either of the cases.
28
Hiding. If a malicious receiver
R asks up to 2
n/2
queries from the oracle , they will be all
answered zero with probability at least 1 2
n/2
by the uniformity of x 0, 1
n
. But in that
case the oracle queries of
R do not reveal any information about y and the hiding of the ILS
follows from the hiding of the IHS .
Equivocability. Let be the transcript of any malicious receiver
R by the end of the commitment
phase. Given (b, ) the sampler algorithm Sam does the following. Let (x
t
1
) = y
t
1
, . . . , (x
t
t
) = y
t
t
be the oracle queries asked by
R from appeared in the transcript and let (y
0
, y
1
) be the output
of the executed IHS. If there exist i [t] such that y
t
t
= 0, then it means that
R has found the
committed bit b = d c where c is such that y
t
i
= y
c
. In this case the sampler Sam simply outputs
(x
t
i
, y
t
i
). On the other hand if y
t
i
= 0 for all i [t], then the sampler chooses y = y
c
where c = b d
and chooses x 0, 1
n
` x
t
1
, . . . , x
t
t
and outputs (x, y) (pretending that (x) = y).
By using the IHS of [DHRS04] (which has the fewest number of rounds among known IHSs) we
get a 2-round ILS. The following proposition shows that the Construction 4.4 of ILSs from IHSs
is not able to achieve ecient ILSs with one round (in the commitment phase).
Proposition 4.5 (Nontrivial IHSs need two rounds). Any IHS with at most 3 messages ex-
changed between the sender and the receiver has binding at most = 100/
[W[. Therefore by a union bound with probability at least 8/10, T is both a good set and
also of size at most 100
[W[. This set T can be used by the sender to break the binding of ,
because with probability at least 9/10 over the rst message q of the receiver, the sender is able to
send a message a (corresponding to the edge covered by T) which determines two elements in the
set T as the output of the protocol.
Now we study 3-message protocols. If we add one more message q
1
from the receiver to to the
sender (in addition to the the 2-messages in the protocols studied above), the last message of the
receiver does not restrict the senders cheating power, because the set of messages that the sender
can claim to be his message does not depend on the last message of the sender.
Now suppose the protocol has three messages where the sender starts the interaction. In this
case, the rst message of the sender a
0
might decrease the space of possible values for w which are
consistent with a
0
. Now the sender xes a value a
0
for his rst message. Let W
t
be the set of
values for w which are consistent with a
0
. By using the same attack above (for the protocols which
start with a
0
), the sender can still nd a set T of size at most 100
[W
t
[ < 100
continues asking
as long as there is any -unbiased queries left. We call a query x (1 )-biased (with respect to
Q), if it is not -unbiased.
Lemma 4.15. Suppose < 1/2 and let the random variable Q be the set of query/answer pairs
that EL
f
learns when interacting with f . Then it holds that E[[Q[] H(f )/ where H() is the
Shannon entropy.
Proof. When x is an -unbiased query of f with respect to Q, then conditioned on Q, f (x) has
Shannon entropy at least H(f (x) [ Q) log(1/) +(1) log(1/(1)) > log(1/) > . Suppose
x
1
, . . . , x
[Q[
are the queries asked by EL
f
and x
[Q[+1
, . . . , x
2
n are the remaining queries not asked
by EL
f
i[2
n
]
H(f (x
i
) [ Q
i1
). Note that
H(f (x
i
) [ Q
i1
) = Pr[[Q
i
[ i]H(f (x
i
) [ Q
i1
[Q
i
[ i) + Pr[[Q
i
[ < i]H(f (x
i
) [ Q
i1
[Q
i
[ < i) .
We claim that H(f (x
i
) [ Q
i1
[Q
i
[ i) . The reason is that we are conditioning on the
cases of Q
i1
which determine x
i
as an -unbiased point (and we do not condition on any more
information). Therefore it holds that
H(f ) =
i[2
n
]
H(f (x
i
) [ Q
i1
)
i[2
n
]
Pr[[Q
i
[ i]H(f (x
i
) [ Q
i1
[Q
i
[ i)
i[2
n
]
Pr[[Q
i
[ i] = E[[Q[],
and so E[[Q[] H(f )/.
Now we turn to proving Theorem 4.13.
Proof. (of Theorem 4.13)
For simplicity, and without loss of generality, we assume that the oracle is Boolean and is
only dened over inputs of length n.
The attack of
R is as follows. The receiver runs the canonical entropy learner EL
f
with =
1/100u over the (random) function of the oracle (where the randomness of comes from the
randomness r
S
shared with the sender which includes the random bit b 0, 1). Recall that the
receiver cannot ask more than u queries. We dene Q
u
to be the set of query/answer pairs that the
receiver (who asks at most u oracle queries) learns about . It always holds that Q
u
Q where Q
is the set of query/answer pairs that EL
f
1
(x) = l
x
.
We claim that the probability that the rst experiment is a defeat is exactly the same as that of
the second experiment. The reason is that, although the receiver in general behaves dierently in
the two experiments, the dierence starts by asking a query x such that
1
(x) = l
x
, and otherwise
all the answers given to to the receiver will be the same between and
0
.
Now we claim that the probability of defeat in the second experiment is less than 1/10. It would
nish the proof since in that case the probability of defeat in the rst experiment also will be less
than 1/10, and therefore the receiver will accept in the rst experiment with probability more than
9/10.
In the second experiment we can pretend that
1
is sampled after the verication is done using
the oracle
0
. The reason is that the behavior of the receiver is dened only based on
0
, while
1
is
only used to determine whether or not the experiment ends in defeat. So suppose X = x
1
, . . . , x
u
R
of
R satises either of the following:
Pr
(x
0
,x
1
)|0,1
2
[x
0
= 0 [ v
R
] =
1
2
neg(n) or Pr
(x
0
,x
1
)|0,1
2
[x
1
= 0 [ v
R
] =
1
2
neg(n).
Oblivious transfer by semi-honest parties. If one of the parties is semi-honest (i.e. runs
the protocol honestly, and only remembers its view for further o-line investigation), then in fact
unconditionally secure OT is possible in the stateless token model. If the receiver is honest, then
the protocol is simply a token T sent from the sender which encodes T(0) = x
0
, T(1) = x
1
. The
receiver will read T(i) to learn x
i
. Moreover it is well known that secure OT in one direction implies
the existence of secure OT in the other direction, so if the sender is semi-honest unconditionally
secure OT is possible in the stateless token model.
In this section we prove that statistically secure OT is impossible in the stateless token model, if
both parties are slightly more malicious than just being semi-honest. Roughly speaking, we dene
the notion of curious parties who run the original protocol (honestly), but will ask more queries
from the tokens along the way.
6
We will prove that for any protocol (A, B) aiming to implement
OT, there are curious extensions of the original parties (A
cur
, B
cur
) who break the security of the
protocol. More formally we dene curious parties as follows.
6
The term honest but curious is sometimes used equivalent to semi-honest. Our notion is dierent from
both of them because a curious party deviates from the protocol slightly by learning more but emulates the original
protocol honestly.
37
Denition 5.2. Let (A, B) be a two party protocol in the token model. We call the protocol A
cur
a curious extension of A, if A
cur
runs the same protocol as A, but at any point during the protocol
it might ask arbitrary queries from tokens sent from B. We call A
cur
ecient, if it asks only poly(n)
queries totally. By Q
Acur
we denote the set of triples representing total query/answer information
that A
cur
gathers about the tokens it receives, and we use Q
A
to denote only the query/answers
for the underlying emulated algorithm A (and so Q
A
Q
Acur
).
We will prove the following theorem.
Theorem 5.3 (No unconditional OT from stateless tokens). Let (S, R) be any protocol for the
oblivious transfer in the stateless token model. Then there are curious extensions (S
cur
, R
cur
) to
the original algorithms where (S
cur
, R
cur
) (and thus (S, R)) is not a secure protocol for oblivious
transfer even when the inputs are random. More formally either of the following holds:
Violation of senders security: When the sender S chooses x
0
and x
1
at random from
0, 1 and interacts with R
cur
, then R
cur
can nd out both of x
0
and x
1
with probability at
least 51/100.
Violation of receivers security: When the receiver R chooses i 0, 1 at random and
interacts with S
cur
, then S
cur
can guess i correctly with probability at least 51/100.
In the following section we rst show that any protocol (S, R) with the following sampling
condition can not implement OT securely (Lemma 5.5). The sampling condition is that one can
sample the randomness of the receiver R conditioned on the view of the sender S. This sampling
condition extends the accessible entropy notion introduced by Haitner et al [HHRS07] to the
token model (in an information theoretic way) and is equivalent to saying that the entropy of the
receiver is accessible. Then we show (Theorem 5.8) that for any protocol (S, R), there is a curious
extension S
cur
, R
cur
where almost all the entropy is accessible, and this will prove Theorem 5.3.
Notation. In the following, for clarity, we use bold letters to denote random variables and use
the non-bold version of the bold variables to denote the samples of that random variable: x x.
For example r
A
will denote the randomness of Alice as a random variable and r
A
denotes the actual
randomness used by Alice.
5.0.1 Breaking oblivious transfer by accessing the entropy
In the standard model of interaction (without tokens) all the information exchanged between two
parties is represented in the transcript of the interaction. This means that information theoreti-
cally, an unbounded Bob can sample from r (r
B
[ ): his own space of randomness conditioned
on what Alice knows about it (which is the transcript of the protocol ) and vice versa. So informa-
tion theoretically Bob is not committed to anything more than what Alice knows about him (but
of course Bob might not be able to sample from this distribution eciently). Roughly speaking if
the sampling r
B
(sup(r
B
) [ ) can be done eciently at any time during the protocol, [HHRS07]
calls such protocol one with accessible entropy.
The fact that in the standard model unbounded parties can access all the entropy makes un-
conditional oblivious transfer to be impossible in this model. The reason is that at the end of the
protocol, either the sender S can nd out which bit is read by the receiver R by sampling from
r (r
R
[ ), or otherwise a sample from r (r
R
[ ) will reveal either of the inputs x
0
, x
1
with
38
probability 1/2 and thus Bob can nd out both of them by taking enough number of samples.
We will formalize this argument in the case of token model in Lemma 5.5 below.
In the token model, however, the information exchanged between the parties is not shared
by them. Namely, the set Q
A
(see Denition 5.2) captures the information that the algorithm
A gathers from the tokens he has received from the other party B, and this set is dierent from
Q
B
. Moreover, it might be impossible for A to nd out Q
B
exactly. Therefore if we consider
= (Q
A
, Q
B
) to be the transcript of the protocol in the token model, Alice and Bob each know
part of , and this makes the above argument (for the impossibility of OT) fail. In fact, as we
said, if either of the parties is semi-honest, then unconditional OT is possible in the stateless token
model.
The following denition generalizes the notion of accessible entropy to the token model (from
an information theoretic perspective).
Denition 5.4 (Accessible entropy in the token model). Let (A, B) be a protocol in the token
model between Alice and Bob. We say the entropy of Bob can be (1 )-accessed if there is a
sampling algorithm Sam
B
as follows. Sam
B
receives a possible view for Bob (r, Q) as input and
outputs another possible view for Bob (r
t
, Q
t
) with the following property: With probability at
least 1 over the choice of (r
A
, r
B
) (r
A
, r
B
), if Q
A
, Q
B
denote to the information that Alice
and Bob has gathered from the tokens at any time during the execution of the protocol, it holds
that
SD((r
B
, Q
B
[ r
A
, Q
A
), Sam
B
(r
B
, Q
B
)) .
We say that B has inaccessible entropy, if the entropy of B is not (1 )-accessible.
Comments about Denition 5.4 .
One can dene a computational version of Denition 5.4 in the standard model where Sam
B
is
ecient and given it samples from a distribution which is -close to (r
B
[ ). It can be shown
that an interactive algorithm B has non-negligible inaccessible entropy in this denition if and only
if B has non-negligible inaccessible entropy according to the denition of [HHRS07].
[HHRS07] shows that in the standard computational setting non-negligible inaccessible entropy
implies statistically hiding commitments. We shall point out that in the stateless token model, as
we will see, if both parties are curious enough, then almost all the entropy can be accessed, but
as we saw in Theorem 4.1 unconditionally secure commitment schemes does exist. The dierence
between the standard computational model of interaction and the token model is that in the
standard computational model the sampled r (r
B
[ ) can be used (by a potentially malicious
Bob) as a witness that Bob is running the protocol appropriately and even be used to continue the
protocol without being caught by Alice, but in the token model a sampled r = Sam
B
(r
B
, Q
B
) might
contradict the future queries of Alice to the tokens she that is holding from Bob. The fact that Alice
can caught Bobs claim by asking more token queries is highly used in our both Constructions 4.4
and 4.9 of ILSs. In fact, if one denes a simple commitment scheme as one where the receiver is not
allowed to ask token queries during the decommitment phase, then a similar argument to Lemma
5.5 below shows that simple commitment schemes imply (non-negligible) inaccessible entropy, and
therefore unconditional simple commitments are impossible to achieve in the stateless token model.
Lemma 5.5 (Oblivious transfer needs inaccessible entropy). Let (S, R) be a protocol for random
oblivious transfer where the senders inputs x
0
, x
1
are part of r
S
and receivers input i is part of
39
r
B
. If (S, R) has perfect completeness and the entropy of the receiver R can be 0.99-accessed, then
either of the following holds:
Violation of senders security: When the sender S interacts with R, then R can nd out
both of x
0
and x
1
correctly with probability at least 51/100.
Violation of receivers security: When the receiver R chooses i 0, 1 at random and
interacts with S, then S can guess i correctly with probability at least 51/100.
Proof. We show that if Sam
R
1-accesses the entropy, then either of the security failures above
holds with probability at least 53/10. Using the actual Sam
R
(which 0.99-accesses the entropy) will
change the success probability of the attacks by at most 2/100 which still remain at least 51/100.
So in the following we assume that Bob also can sample from the distribution (r
R
[ r
S
, Q
S
) where
by Q
S
we denote the nal set of query/answers that the sender learns about the receivers tokens.
We call (r
S
, Q
S
) a predicting pair, if either Pr[i = 0 [ r
S
, Q
S
] 9/10, or Pr[i = 1 [ r
S
, Q
S
] 9/10.
Now there are two possible cases:
Pr[(r
S
, Q
S
) is predicting] 1/10: Then the sender can predict i by probability at least
1/2 +1/10 > 53/10 as follows: Whenever (r
S
, Q
S
) is predicting, use the predicted value, and
whenever it is not use a random guess. This violates the security of the receiver.
Pr[(r
S
, Q
S
) is predicting] 1/10: Therefore, with probability at least 9/10 (r
S
, Q
S
) is not
predicting. For a non-predicting (r
S
, Q
S
), by sampling (r
t
R
, Q
t
R
) (r
R
, Q
R
[ r
S
, Q
S
) we get
either of the cases i = 0 or i = 1 with probability at last 1/10. By the assumed perfect
completeness of the protocol the output of the sampled (r
t
R
, Q
t
B
) is equal to x
i
. Note that
sender can sample from (r
R
, Q
R
[ r
S
, Q
S
) by using the sampler Sam
R
. When (r
S
, Q
S
) is not
predicting, by sampling n samples (r
t
R
, Q
t
R
) (r
R
, Q
R
[ r
S
, Q
S
), the receiver can nd both
of x
0
and x
1
with probability 1 neg(n). Therefore, since (r
S
, Q
S
) is not predicting with
probability 9/10, the receiver can nd both inputs of the sender with probability at least
(9/10) (9/10 neg(n)) > 53/100.
5.0.2 Curious extensions who access the entropy
In this section we dene a specic curious extension to the protocols in the stateless token model
which we call canonical curious extensions and prove that almost all the entropy of such protocols
can be accessed. Roughly speaking, a canonical curious extension of an interactive algorithm is a
curious extension of the original protocol where the parties ask their extra token queries according
to the canonical entropy learner of Denition 4.14. Each time that an unbiased query q is asked,
it reveals a noticeable amount of information about the other partys private randomness. By the
same argument as Lemma 4.15, since the entropy H(r
A
) +H(r
B
) poly(n) is bounded, by asking
only ecient number of queries one can learn enough information to predict the answer to any other
(xed) query to the tokens. In particular, the answer to the query that is going to be asked in the
emulation of the original protocol will be predictable, so we can ignore asking such queries and use
the predicted answers in the emulation of the original protocol. We call the new protocol which
uses the predicted values an ideal protocol (A
id
, B
id
) which will simulate the original protocol
(A, B) up to 1/poly(n) statistical distance.
40
Finally, the main point is that in the ideal protocol the parties know exactly what the other
party knows about them! The proof uses induction. Assuming that Alice and Bob both know
(Q
A
id
, Q
B
id
), they can nd out which queries are -unbiased from Alices and Bobs point of view.
When Alice is asking such a query Bob knows the query and its answer (since it is from a token
generated by Bob) and vice versa. Therefore, (r
A
id
, Q
A
id
) will determine Q
B
id
and (r
B
id
, Q
B
id
) will
determine Q
A
id
and in a sense we are back to the standard model where the transcript is known to
both parties, and thus all the entropy can be accessed!
It will be easier for us to rst dene the ideal experiment Ideal and then dene how the canonical
curious parties behave.
Denition 5.6 (Ideal experiment.). Let (A, B) be a protocol in the stateless token model. The
protocol (A
id
, B
id
) will depend on (A, B) and will be executed in the experiment Ideal as follows.
Randomness: (A
id
, B
id
) will use the same randomness (r
A
, r
B
) and will (try to) emulate
(A, B).
Set of token query/answers: (A
id
, B
id
) will inductively update the sets Q
A
id
and Q
B
id
which encode the information they have gathered from the other partys tokens so far.
Mutual Knowledge: A crucial point is that Q
A
id
and Q
B
id
will be known to both Alice and
Bob inductively. Namely, A
id
can nd out the updates to the set Q
B
id
without B
id
explicitly
revealing that information to A
id
and vice versa. How this condition holds and how the
emulation of (A, B) is done is claried next.
Emulation: Suppose during the emulation we are at a time where A needs to ask the query
q
0
from a token T. Instead of doing so, A
id
runs the canonical entropy learner of Denition
4.14 over the tokens (T
B
1
, . . . , T
B
i
) that he holds from Bob. Namely, A
id
considers the uniform
distribution of (r
A
, r
B
) consistent with the transcript of the interaction: (Q
A
id
, Q
B
id
). Note
that, by inductions assumption A
id
knows Q
B
id
as well. Now if there is any query q to
any of the tokens (T
B
1
, . . . , T
B
i
) sent from Alice such that q is -unbiased, then A
id
asks the
lexicographically rst such query q
1
and updates Q
A
id
. We stress that since B
id
knows also
Q
A
id
, he is also able to nd the query q
1
, and moreover since this query is asked to one of
the tokens that Bob has generated, B
id
knows the answer as well. So Bob also knows the
update to the set Q
A
id
the same as Alice. When A
id
is done with the learning phase before
asking q
0
, it not ask the query q
0
, but rather will use the likely answer l
q
0
which is uniquely
determined by the updated (Q
A
id
, Q
B
id
) (but of course l
q
0
might be dierent from the actual
solution provided by the token). B
id
will emulate B similarly.
Now we dene the experiment CanCur in which a canonical curious extension of the protocol
(A, B) is dened.
Denition 5.7 (Canonical curious extensions). Let (A, B) be a two party protocol in the stateless
token model. A Canonical Curious extension of A denoted by A
cc
receives two parameters : the
curiosity parameter and u: the upper bound on the number of extra queries asked by A. A
cc
acts
in the experiment CanCur as follows:
A
cur
runs the algorithm A with randomness r
A
and emulates the interaction of A with B.
The set Q
A
denotes the set of token query/answers corresponding to this emulation.
41
A
cur
also keeps updating a set of token query/answers Q
A
id
by pretending that it is being
executed in the experiment Ideal. A
cur
stops asking more extra queries (i.e. the queries out
of Q
A
) whenever [Q
A
id
[ = u. Note that in CanCur (as opposed to CanCur), A
cc
does ask the
emulated queries of A from the tokens and uses the answer for further computations.
The total token queries/answer knowledge of A
cur
is encoded in Q
Acur
= Q
A
Q
A
id
.
Now we prove the following theorem showing that by taking small enough, one can access
almost all the entropy of (A
id
, B
id
) eciently.
Theorem 5.8 (Canonical curious parties can access the entropy). Let (A, B) be a protocol in the
stateless token model between Alice and Bob where they totally ask k = poly(n) number of queries
to the tokens exchanged. For a given = 1/poly(n) let be such that = 2(k +
k) and let
u =
[r
A
[
k
2
. If is used as the curiosity parameter and u is used as the upper-bound parameter, then
the entropy of B
cc
in (A
cc
, B
cc
) is (1 )-accessible.
Note that Theorem 5.8 and Lemma 5.5 together imply Theorem 5.3 as a corollary.
Intuition. Roughly speaking Theorem 5.8 follows from the following facts:
1. Entropy is accessible in Ideal: The entropy of A
id
is 1-accessible, because Q
A
id
and Q
B
id
are known to both parties at any time during the protocol.
2. Parties are ecient in Ideal: By Lemma 4.15 A
id
on average asks at most H(r
B
)/ =
[r
B
[/ poly(n) number queries.
3. Ideal and CanCur are close: As long as the likely answers used by A
id
and B
id
for the
emulation of (A, B) are correct, the two experiments Ideal and CanCur are exactly the same.
Let WG (Wrong Guess) be the event that one of these likely answers used is incorrect. By
denition, he probability that WG happens at any particular query in Ideal is at most , and
therefore the probability of WG is bounded by k. By taking small enough we can make
k arbitrary small.
The formal proof follows.
Proof. (of Theorem 5.8) The sampling algorithm Sam
B
in CanCur will perform the sampling by
simply pretending that it is being used in the experiment Ideal (by ignoring Q
B
and only using
Q
B
id
and r
B
). We will show that with probability 1 over (r
A
, r
B
) the sampler Sam
B
will sample
-close to the right distribution all along the execution of CanCur.
As a mental experiment, we sample (r
A
, r
B
) (r
A
, r
B
) and run both of the experiments CanCur
and Ideal in parallel with the same randomness (r
A
, r
B
). We use the notation Pr
cc
[] to denote the
probability of an event in CanCur and use Pr
id
[] to denote the probability of an event in Ideal.
Let WG
i
to be the event in the experiments CanCur and Ideal that holds i the ith query q
i
asked by Alice or Bob in is not the likely answer, and dene the event WG =
i
WG
i
.
We modify CanCur slightly and let the size of Q
A
id
and Q
B
id
to grow beyond u. Our proof
will take care of this issue indirectly. By this change, it is easy to see that as long as WG does
not happen the experiments CanCur and Ideal are exactly the same. In particular it holds that
Pr
cc
[WG] = Pr
id
[WG]. Since (r
A
, r
B
) determines the whole execution of the experiments CanCur
42
and Ideal we can talk about the event WG(r
A
, r
B
), and Pr
(r
A
,r
B
)
[WG] is the same in CanCur and
Ideal.
The following claim shows that by taking small enough CanCur and Ideal will become statis-
tically close.
Claim 5.9. It holds that Pr
(r
A
,r
B
)
[WG] k.
Proof. If show that Pr
id
[WG
i
] the claim follows by union bound over i [k]. But Pr
id
[WG
i
]
holds by the denition of the experiment Ideal and -unbiased queries.
We call (r
A
, r
B
) a good sample if the following conditions hold when (r
A
, r
B
) is used to run the
experiments:
1. WG does not happen.
2. [Q
B
id
[ and [Q
B
id
[ does not pass the upper limit u.
3. At any time during the execution if Q
A
id
, Q
B
id
, Q
Acc
, and Q
Bcc
denote the set of query/answers
in the both experiments in that moment it holds that
Pr
id
[WG happened before [ Q
A
id
, Q
B
id
]
k and
Pr
cc
[WG happened before [ Q
Acc
, Q
Bcc
]
k.
Claim 5.10. Pr[(r
A
, r
B
) is good ] 1 .
Proof. By Claim 5.9 the rst property holds with probability at least 1 k.
By Lemma 4.15 and using the Markov inequality the second property holds in Ideal with prob-
ability at least 1 k. So both properties 1 and 2 hold with probability at least 1 2k.
We use Lemma 2.3 with the following parameters X = (r
A
, r
B
), F = WG, Z
i
= (Q
A
id
, Q
B
id
)
where (Q
A
id
, Q
B
id
) their value at the ith moment and p =
k.
Therefore all the properties hold for a random (r
A
, r
B
) with probability at least 12k2
k =
1 .
Suppose the sampled (r
A
, r
B
) is a good one. Then, by the st property, all along the execution
CanCur and Ideal will be the same. The second property will guarantee the ecaciously with respect
to the upper bound u.
Now suppose Sam
B
is run over the input (r
B
, Q
Bcc
) at an arbitrary moment during the execution
of the system. By the rst property, the sampler Sam
B
will conclude the correct Q
Acc
. Therefore
Sam
B
will sample exactly according to (r
B
id
, Q
A
id
[ r
A
id
, Q
A
id
) in Ideal. By the third property the
probability that WG has happened before is at most
k < -close to the right distribution. This nishes the proof that
Sam
B
(1 )-accesses the entropy of A
cc
in (A
cc
, B
cc
).
43
6 Unconditional UC Secure Computation: Encapsulating Tokens
inside Tokens
6.1 The Model
First we dene the functionality T
enc
that models the fact that the parties can put any number of
received tokens inside a new one. The idea of T
enc
, described in Figure 1, is to model the following
real-world functionality: party P
i
sends a stateless token M to party P
j
. This stateless token may
have encapsulated inside it a number of other stateless tokens which P
i
received from other parties
(such encapsulated tokens subsequently become unavailable to P
i
after sending out M). Since the
token is stateless, P
j
can run M multiple times on inputs of its choice. While running, M can access
its internal tokens in a black box way by querying any of them any number of times. Thus, T
enc
saves the description of the oracle machines it gets from a party in create messages, and lets the
other party run them multiple times. Each machine is uniquely identied by a machine identier
mid.
Functionality T
enc
T
enc
is parameterized by a polynomial p() and an implicit security parameter .
Create Upon receiving (create, sid, P
i
, P
j
, mid, M, List) from P
i
, where M is an Oracle
machine, do:
1. If any of the tokens specied in List is marked unavailable or does not have P
i
as the
recipient, do nothing. Else, mark all tokens in List as unavailable. (This step ensures
that a received token cannot be used in constructing multiple other tokens.)
2. Send (create, sid, P
i
, P
j
, mid) to P
j
.
3. Store (P
i
, P
j
, mid, M, List).
Execute Upon receiving (run, sid, P
i
, mid, msg) from P
j
, nd the unique stored tuple
(P
i
, P
j
, mid, M). If no such tuple exists or if this token is marked unavailable, do noth-
ing. (This step ensures that a received token cannot be queried after it has been used up
in constructing another token.)
Run M(msg). While running if M makes a query specifying mid, check if mid is in List
associated with M. If not, output .
Else, evaluate the machine mid on the given query recursively and supply the response to
M. Let out be the output of M (out = if the entire computation does not halt in p(k)
steps). Send (sid, P
i
, mid, out) to P
j
.
Figure 1: Ideal functionality for stateless tokens with encapsulation
44
6.2 Construction for Unconditional UC Secure Computation
We rst show how to construct an unconditional UC secure commitment scheme COM in the token
encapsulation model described above. We then present a construction for unconditional UC secure
OT building on the commitment scheme COM. This in turn implies the existence of unconditional
general UC secure computation by invoking the results from [IPS08, Kil88].
Unconditional UC Secure Commitment The committer Alice wishes to commit to a bit b
to the receiver Bob. We build upon the interactive locking scheme in Section 4. We can get a
commitment scheme in the stateless hardware token model using an interactive locking scheme
where the sender is the committer and the locking oracle is implemented using a stateless hardware
token. We call this commitment scheme com. The commit phase of our commitment scheme COM
proceeds as follows:
Bob rst generates a random string r 0, 1
k
and uses the commitment scheme com to
commit r to Alice.
Alice breaks the bit b into k pairs of 2-out-of-2 random shares. That is, for all i [k], Alice
picks b
0
i
and b
1
i
at random such that b
0
i
b
1
i
= b. Now i, j, Alice commits b
j
i
to Bob using
the commitment scheme com.
Alice further construct a token T as follows. Alice puts her entire state in T including all
tokens received from Bob, the input and randomness and the protocol transcript so far. The
functionality of T is described in the next step.
The token T expects as input from Bob a string r
t
that Bob committed to in the rst step
along with the decommitment to r
t
(i.e., the randomness he used to commit to r
t
in the rst
step). T veries that the decommitment is valid by possibly querying the encapsulated tokens
Alice received from Bob in the rst step. If the check fail, T outputs . Otherwise, i [k],
T outputs b
r
[i]
i
and the decommitment to b
r
[i]
i
(where r
t
[i] represents the i-th bit of the string
r
t
).
Bob queries T with the string r and its decommitment and gets in return, i [k], b
r[i]
i
and
the decommitment to b
r[i]
i
. Bob veries all the decommitments (by possibly querying the
tokens he received from Alice in the second step. Bob aborts and rejects the commitment in
case any of the decommitments is found invalid.
The decommitment phase for COM simply consists of Alice revealing b
j
i
and its decommitment
i [k], j 0, 1 along with the bit b. Bob veries that all the decommitments are valid and that
i, b
0
i
b
1
i
= b. If so, Bob accepts the decommitment to bit b and rejects otherwise.
Proof Sketch. The above protocol can be shown to be UC secure using standard techniques.
Below we only provide the main idea behind the proof and defer the details to the full version.
Corrupted Committer: In this case, the simulator Sim works by extracting the input of the
committer and sending it to the ideal trusted functionality. This can be done using the following
idea. The simulator runs the commit phase honestly with the committer. At the end of the commit
phase, Sim utilizes the equivocability property of the interactive locking scheme to make additional
45
queries to the token T and get a valid response (thus enabling him to extract b). In other words,
Sim chooses a random string r
1
and sends a decommitment to r
1
. Sim uses the simulator associated
with the equivocability property of ILS to generate such a valid decommitment to r
1
(and answer
the queries made by T to the encapsulated token). If T gives a valid answer, Sim computes the
committed bit b (and sends it to the ideal functionality). Else, Sim tries again with another random
string. Sim will terminate in expected polynomial time since T gave a valid response on the rst
(honest) query made by Sim.
Corrupted Receiver: In this case, Sim executes the commitment phase honestly and commits
to a random bit. At the start of the decommit phase, Sim gets the bit b to be decommitted to from
the ideal functionality. Then Sim, for each of the k pair of shares, chooses the unopened share to
be such that the XOR of the two shares equals b. Next, Sim uses the equivocability property of
the interactive locking scheme to decommit all his commitments (in step 2 of the protocol) to the
appropriate shares as chosen.
Unconditional UC Secure Oblivious Transfer The sender Alice has the input strings (s
0
, s
1
)
while the receiver Bob has the selection bit c. The OT protocol proceeds as follows:
Bob commits to its selection bit c using the commitment scheme COM.
Alice constructs a token G as follows. Alice puts her entire state in G including all to-
kens received from Bob, the input and randomness and the protocol transcript so far. The
functionality of G is described in the next step.
The token G expects as input from Bob a string c
t
that Bob committed to in the rst step
along with the decommitment to c
t
(i.e., the randomness he used to commit to c
t
in the rst
step). G veries that the decommitment is valid by possibly querying the encapsulated tokens
Alice received from Bob in the rst step. If the check fail, G outputs . Otherwise, G outputs
the string s
c
.
Bob queries G with the string c and its decommitment and gets in return s
c
as his output of
the protocol. If G aborts without giving a response, Bob takes 0 to be received output.
Proof Sketch. We consider the following two cases separately.
Corrupted Sender: In this case, the simulator Sim works by extracting the input strings of
the sender and sending them to the ideal trusted functionality. This can be done as follows. Sim
commits to a random choice bit in the rst step and receives the token G. Sim then simply uses
the equivocation property of the commitment scheme COM to query the token G on both 0 and
1 as the choice bits and get the response (if G aborts in any query, Sim takes 0 to be response).
Sim then sends the two extracted strings to the ideal functionality.
Corrupted Receiver: In this case, Sim simply extracts the choice bit c of the receiver in the
rst step. This can be done by using the simulator associated with the commitment scheme COM.
Sim then sends the extracted choice bit c to the trusted functionality and gets the output s
c
. Sim
then picks s
c
at random and honestly prepares the token G with s
c
, s
c
as the input strings.
46
References
[AH91] William Aiello and Johan Hastad. Statistical zero-knowledge languages can be recog-
nized in two rounds. J. Comput. Syst. Sci., 42(3):327345, 1991.
[ALM
+
98] Sanjeev Arora, Carsten Lund, Rajeev Motwani, Madhu Sudan, and Mario Szegedy.
Proof verication and the hardness of approximation problems. J. ACM, 45(3):501
555, 1998.
[AS98] Sanjeev Arora and Shmuel Safra. Probabilistic checking of proofs: A new characteri-
zation of np. J. ACM, 45(1):70122, 1998.
[BFL90] Laszlo Babai, Lance Fortnow, and Carsten Lund. Non-deterministic exponential time
has two-prover interactive protocols. In FOCS, pages 1625, 1990.
[BGKW88] Michael Ben-Or, Sha Goldwasser, Joe Kilian, and Avi Wigderson. Multi-prover in-
teractive proofs: How to remove intractability assumptions. In STOC, pages 113131,
1988.
[BGW88] Michael Ben-Or, Sha Goldwasser, and Avi Wigderson. Completeness theorems for
non-cryptographic fault-tolerant distributed computation (extended abstract). In
STOC, pages 110, 1988.
[BM88] Laszlo Babai and Shlomo Moran. Arthur-Merlin games: A randomized proof system
and a hierarchy of complexity classes. Journal of Computer and System Sciences,
36:254276, 1988.
[Can01] Ran Canetti. Universally composable security: A new paradigm for cryptographic
protocols. In FOCS, pages 136145, 2001.
[CCD88] David Chaum, Claude Crepeau, and Ivan Damgard. Multiparty unconditionally secure
protocols (extended abstract). In STOC, pages 1119, 1988.
[CCM98] Christian Cachin, Claude Crepeau, and Julien Marcil. Oblivious transfer with a
memory-bounded receiver. pages 493502, 1998.
[CGGM00] Ran Canetti, Oded Goldreich, Sha Goldwasser, and Silvio Micali. Resettable zero-
knowledge (extended abstract). In STOC, pages 235244, 2000.
[CGS08] Nishanth Chandran, Vipul Goyal, and Amit Sahai. New constructions for UC secure
computation using tamper-proof hardware. In EUROCRYPT, pages 545562, 2008.
[CK88] Claude Crepeau and Joe Kilian. Achieving oblivious transfer using weakened security
assumptions (extended abstract). In FOCS, pages 4252, 1988.
[DFK
+
92] Cynthia Dwork, Uriel Feige, Joe Kilian, Moni Naor, and Shmuel Safra. Low commu-
nication 2-prover zero-knowledge proofs for np. In CRYPTO, pages 215227, 1992.
[DHRS04] Yan Zong Ding, Danny Harnik, Alon Rosen, and Ronen Shaltiel. Constant-round
oblivious transfer in the bounded storage model. In Theory of Cryptography, First
Theory of Cryptography Conference, TCC 2004, pages 446472, 2004.
47
[For89] Lance Fortnow. The complexity of perfect zero-knowledge. Advances in Computing
Research: Randomness and Computation, 5:327343, 1989.
[FRS88] Lance Fortnow, John Rompel, and Michael Sipser. On the power of multi-prover
interactive protocols. In Theoretical Computer Science, pages 156161, 1988.
[GIS
+
10] Vipul Goyal, Yuval Ishai, Amit Sahai, Ramarathnam Venkatesan, and Akshay Wadia.
Founding cryptography on tamper-proof hardware tokens. In TCC, 2010.
[GKR08a] Sha Goldwasser, Yael Tauman Kalai, and Guy Rothblum. One-time programs. In
CRYPTO, Lecture Notes in Computer Science, pages 3956. Springer, 2008.
[GKR08b] Sha Goldwasser, Yael Tauman Kalai, and Guy N. Rothblum. Delegating computation:
interactive proofs for muggles. In STOC, pages 113122, 2008.
[GMR89] Sha Goldwasser, Silvio Micali, and Charles Racko. The knowledge complexity of
interactive proof systems. SIAM Journal on Computing, 18(1):186208, 1989. Prelim-
inary version in STOC85.
[GMW91] Oded Goldreich, Silvio Micali, and Avi Wigderson. Proofs that yield nothing but their
validity or all languages in NP have zero-knowledge proof systems. Journal of the
ACM, 38(1):691729, 1991. Preliminary version in FOCS86.
[GO96] Oded Goldreich and Rafail Ostrovsky. Software protection and simulation on oblivious
rams. J. ACM, 43(3):431473, 1996.
[HHK
+
05] Iftach Haitner, Omer Horvitz, Jonathan Katz, Chiu-Yuen Koo, Ruggero Morselli,
and Ronen Shaltiel. Reducing complexity assumptions for statistically-hiding commit-
ment. In Advances in Cryptology EUROCRYPT 2005, pages 5877, 2005. See also
preliminary draft of full version, www.wisdom.weizmann.ac.il/
~
iftachh/papers/
SCfromRegularOWF.pdf.
[HHRS07] Iftach Haitner, Jonathan J. Hoch, Omer Reingold, and Gil Segev. Finding collisions
in interactive protocols A tight lower bound on the round complexity of statistically-
hiding commitments. In Proceedings of the 47th Annual Symposium on Foundations of
Computer Science (FOCS). IEEE Computer Society, 2007.
[HL08] Carmit Hazay and Yehuda Lindell. Constructions of truly practical secure protocols
using standardsmartcards. In ACM Conference on Computer and Communications
Security, pages 491500, 2008.
[HR07] Iftach Haitner and Omer Reingold. A new interactive hashing theorem. In IEEE
Conference on Computational Complexity, pages 319332, 2007. See also preliminary
draft of full version at the rst authors home page.
[HRVW09] Iftach Haitner, Omer Reingold, Salil P. Vadhan, and Hoeteck Wee. Inaccessible entropy.
In STOC, pages 611620, 2009.
[IPS08] Yuval Ishai, Manoj Prabhakaran, and Amit Sahai. Founding cryptography on oblivious
transfer - eciently. In David Wagner, editor, CRYPTO, volume 5157 of Lecture Notes
in Computer Science, pages 572591. Springer, 2008.
48
[IR89] Russell Impagliazzo and Steven Rudich. Limits on the provable consequences of one-
way permutations. In Proceedings of the 21st Annual ACM Symposium on Theory of
Computing (STOC), pages 4461. ACM Press, 1989.
[Kat07] Jonathan Katz. Universally composable multi-party computation using tamper-proof
hardware. In EUROCRYPT, Lecture Notes in Computer Science, pages 115128.
Springer, 2007.
[Kil88] Joe Kilian. Founding cryptography on oblivious transfer. In Proceedings of the 20th
Annual ACM Symposium on Theory of Computing (STOC), 988.
[KLR06] Kushilevitz, Lindell, and Rabin. Information-theoretically secure protocols and security
under composition. In STOC: ACM Symposium on Theory of Computing (STOC),
2006.
[Kol10] Vladimir Kolesnikov. Truly ecient string oblivious transfer using resettable tamper-
proof tokens. In TCC, pages 327342, 2010.
[KPT97] Joe Kilian, Erez Petrank, and Gabor Tardos. Probabilistically checkable proofs with
zero knowledge. In STOC: ACM Symposium on Theory of Computing (STOC), 1997.
[KR08] Yael Tauman Kalai and Ran Raz. Interactive PCP. In ICALP (2), pages 536547,
2008.
[LS95] Dror Lapidot and Adi Shamir. A one-round, two-prover, zero-knowledge protocol for
np. Combinatorica, 15(2):204214, 1995.
[Mau92] Ueli M. Maurer. Conditionally-perfect secrecy and a provably-secure randomized ci-
pher. J. Cryptology, 5(1):5366, 1992.
[MS08] Tal Moran and Gil Segev. David and Goliath commitments: UC computation for
asymmetric parties using tamper-proof hardware. In EUROCRYPT, pages 527544,
2008.
[NOVY98] Moni Naor, Rafail Ostrovsky, Ramarathnam Venkatesan, and Moti Yung. Perfect zero-
knowledge arguments for NP using any one-way permutation. Journal of Cryptology,
11(2):87108, 1998. Preliminary version in CRYPTO92.
[OVY93a] Rafail Ostrovsky, Ramarathnam Venkatesan, and Moti Yung. Fair games against an
all-powerful adversary. AMS DIMACS Series in Discrete Mathematics and Theoretical
Computer Science, pages 155169, 1993. Preliminary version in SEQUENCES91.
[OVY93b] Rafail Ostrovsky, Ramarathnam Venkatesan, and Moti Yung. Interactive hashing sim-
plies zero-knowledge protocol design. pages 267273, 1993.
[OW93] Rafail Ostrovsky and Avi Wigderson. One-way fuctions are essential for non-trivial
zero-knowledge. In ISTCS, pages 317, 1993.
[Rab81] M. O. Rabin. How to exchange secrets by oblivious transfer. TR-81, Harvard, 1981.
[RB89] Tal Rabin and Michael Ben-Or. Veriable secret sharing and multiparty protocols with
honest majority (extended abstract). In STOC, pages 7385, 1989.
49